By Peter Bradley, CEO of Torsion Information Security
If we have the right processes in place to protect our data and control access to files and folders, we will naturally avoid more data breaches and remain compliant with regulations such as GDPR.
There are issues to overcome however and they mainly arise from a very traditional way of managing data. Internally, there’s often an element of ‘my data is always more important than everyone else’s data’, or ‘It must be kept forever’ or ‘It must be treated in a different way’. But when it comes to compliance, you have to make decisions. You can’t just implement cloud-based collaboration platforms such as Teams or Office 365 without implementing clear data governance policies. It’s about getting people together, making a totalitarian decision. Agree how you are going to manage the data and then go ahead with it, no buts or ifs.
The other problem is, even if you make those decisions, how do you police them? You can’t stand behind your business users to make sure they are classifying the data correctly? And you can’t expect your IT team to do this within their role either. You have to rely on an element of automation or machine learning.
The automation could be a combination of encryption and rights management services in combination with data loss prevention technologies and cloud application security. We need an audit trail of who’s got access to which data, why and when.
Torsion is one such automated machine learning platform. It works with collaboration tools such as SharePoint and Microsoft Teams to automatically monitor and detect any inappropriate access, out of date folders and permissions, or the movement of files. If anything doesn’t look quite right it will promptly alert a business user associated with the file and shut down any potential breaches. Other than that, it can run seamlessly in the background until and unless it is required. Owners or creators of files and folders can certify and revoke access themselves, taking the responsibility away from the IT function.
Peter Bradley, CEO at Torsion says: “Businesses of all sizes must empower the role that employees and partners play in safeguarding the company’s data. However, expecting them to be aware of security breaches on a day to day basis when there is such a growing volume of files and data is simply unrealistic.
“By automating the process of file sharing and prompting the business user if anything looks suspicious, inconsistent or not relevant, they can carry on with their main responsibilities confident that they are also keeping their data safe and secure.
“When we show businesses how the machine learning technology works, and that data security doesn’t have to be an IT problem any more, they sit there silent for a minute and then say it’s how they should have been thinking about this problem for the last 20 years. We’ve been thinking about this problem incorrectly the whole time.”
How machine learning is being used for data security
Patrick Reynolds, Head of Operations at Neotas, who use Torsion’s machine learning software says: “We are a firm believer in using SharePoint, data encryption and IRM (Information Rights Management). Keeping everything secure and in house is key to what we do. We share thousands of links around certain structures and have a lot of restrictions on our libraries.
“As part of our ISO 27001 accreditation we really need to have a robust system in place and that comes from SharePoint being at the heart of all of our documentation. We need to mitigate all the risks and a solution like this gives us peace of mind by being able to make changes really quickly throughout all of our architecture.”
Others are also turning to the automated solution because of the coronavirus pandemic. One particular government agency has had to furlough some of their workforce, but where possible they re-assigned responsibilities so as many employees can continue to work from home as possible.
However, to ensure each employee could start working in their new roles, they needed to make sure everybody had access to the right files and folders.
Granting temporary access to internal data, within a collaboration platform such as Teams or SharePoint can often be a logistical headache: first establishing who needs access to what information; then updating permissions manually; and finally revoking that access once it is no longer needed. There can often be a period of a couple of weeks where employees can’t do their job as they don’t have access to the information they need. If access is not revoked when the temporary roles end, it leads to out of control access and potential security breaches.
This is the situation now facing many businesses taking on temporary workers during the pandemic.
Using the machine learning from Torsion they automatically manage their files and folder permissions. The technology works within their Teams platform to monitor access, alert business users to any security issues and remove access when it is not needed.
They can grant temporary access to files and folders for a set period of time and the machine learning automatically works out what information a team member might need, in addition to their existing permissions, and grants them access for a fixed number of days. At the end of the period the access is automatically revoked.
The temporary team members are up and running with everything they need almost immediately, and the company has a clear audit trail of who has access to what information, when and why.
If we use the right automation tools to stay in control of who has access to what, why and when, we will consequently be in control of our data sharing and compliant regardless of the volume of files being shared. We must remember that good compliance does not necessarily give you data security, but data security gives you good compliance.
Proving compliance to the auditors shouldn’t be a headache either. Because data security is being automatically managed and controlled, when it comes to proving your compliance it should be as simple as pressing a button to export a report.
If you implement the right technology, we can all be confident that our data is secure and at any one time we can see who has access to what. Compliance and data security can just become part of the woodwork, the way that people work.
Biography for Peter Bradley
Peter founded Torsion in 2014 having spent a career as a consultant, specialising in secure information management. His deep understanding of the nature of information flow and lifecycle in organisations enables him to make a powerful and effective contribution to the information security discussion.
For more, visit http://torsionis.com