Segmentation of Duty – Good Segmentation Makes Good Security
A key strategy for managing information security is to ensure that sensitive information is only touched by people who have responsibility for that information. When you want to prevent sensitive data leaks, one of the first things to analyze is who is transmitting what kinds of information to whom. It is very important to understand three things about every transmission of sensitive data:
- Should the sender have access to it?
- Should the receiver have access to it?
- Is the transmission method appropriate?
An example of this would be an employee who works in HR transferring a personnel file to the cloud.
- Should the sender have access to this data? Yes
- Should the receiver have access to this data? Maybe
- Is the transmission appropriate? Maybe
Where ever there is a maybe, there is a risk of data leakage. An intelligent data leak prevention system will look not just at the sender, but at the receiver and the transmission method as well. Each one has a specific responsibility. The question is – are all the responsibilities correctly aligned?
If the sender is transferring an HR file to a personal email site in the cloud, this should be flagged as a violation. If the sender is transferring an HR file to a social media site, the transfer should be blocked. If the sender is transferring a file to an HR cloud app, there should be no issue with the action.
Segmentation of Duty information exists as your company’s business logic in Active Directory or HR databases. These have already been created with an understanding of an individual’s title, department and role within a company. Using this as the basis for your security policies ensures that your business logic is a critical aspect of Data Leak Prevention.
This becomes even more powerful when you automatically look at the information security permissions of the sender and receiver to see if their roles match the sensitivity of the information being shared. Who is sending what to whom? Being able to compare the roles of the senders and receivers with respect to data sensitivity is a critical piece of preventing data leakage. Using your specific company business logic will ensure that these comparisons are made accurately.
We invite you to see a demo of how this can work for your company.