Social Networking, DLP, and Identity Management opportunities

A new area that may lend itself well to understanding the flow of information is social networking theories such as power law distributions, Mandelbrot statistics etc. The problem now of course becomes an issue of information overload. The amounts of data in such an analysis becomes quite large quickly, and the problem is inspection of findings. To make such a system scalable, the system should create local accountability.

With local accountability, I mean that either the individual will have to sign off on a compliance statement on a regular basis, or the manager, as they would be the closest to know whether the access is appropriate, or excessive.

Another interesting concept would be to look for change points, and flag these for further inspection. If change suddenly occurs, it should be possible to capture this change. Inspection of file share access, SharePoint access, Line of Business access etc, should be able to reveal a change in behavior such as the example from the data theft at Boeing.

So, what is needed to evaluate if access is appropriate or if it is misused?

To begin with, each individual with access to the network must be managed, and their access monitored. However, since most information is not confidential, access to it can be ignored if sensitive information is identified and cataloged.

To catalog the information, you will have to search across your repositories for sensitive information. I believe that the information as it is found must also be tagged. A tagging using the alternate file stream is interesting, but this tag is lost in most cases when the information leaves the network. A second approach is to tag the metadata of the file itself. This does not get lost when the information leaves the network.

An interesting approach would be to create a hash of the file as it has been classified and tagged. However if the tag also holds the hash, the hash of the file is altered if it is placed in the meta data of the file. It is not a problem with placing the tag in the alternate file stream. However if you create a hash and place it in the meta data, you could then just sign the file.

If these hashes are stored in a central repository, the hash can then be used to evaluate if copies of the file exists elsewhere. If copies exists, they should be tagged according to the first file found. This process could also be used to remove the copies.