Gartner has recently published a couple of pieces of research that cover a topic that they call, “People-centric security” (Gartner, Consider a People-Centric Security Strategy, Tom Scholtz, 07 Mar2013). According to Gartner, people-centric security “is an approach that places more personal responsibility for protecting information resources on the shoulders of individual employees in return for reducing or eliminating restrictive, preventative controls.” As you adopt cloud applications and start thinking about Salesforce.com security or Google Docs security, as examples, this approach becomes even more important.
Gartner goes on to say, “The premise of PCS is that an employee has certain rights, but they are linked to certain responsibilities and accountabilities (see the PCS Rights and Responsibilities section). These rights are based on an understanding that if the individual doesn't fulfill his or her responsibilities, or doesn't behave in a manner that respects the rights of his or her colleagues and the stakeholders of the enterprise, then the individual will be subject to sanction. Usually, this sanction will mean a forfeiture of some rights, but it could also entail disciplinary action. The difference in this approach is that the sanction is aimed at the offending individual, rather than the orthodox approach that typically punishes the collective user population by implementing restrictive new controls.”
While this may seem like a radical change from the status quo, one that you might roll your eyes over, it seems to me that a lot of this has already started to happen without us even realizing it. Think about the move to BYOD and to SaaS applications over the last few years. In many organizations, BYOD was adopted because employees demanded it, revolting over the prehistoric smartphones that IT had provided. On the same token, it was often business leaders, not IT, that lead the charge to adoption of the initial SaaS applications. In an indirect way, we have already given users the freedom to decide how to consume company information.
Initially, we tried to put into place controls that mimicked our traditional environment. Mobile Device Management sought to control BYOD in a manner similar to the way that we controlled the managed devices of the past. Forcing employees to connect to a corporate VPN in order to access SaaS applications was along a similar vein. Both of these approaches are failing because they impose too much control for the “freedom” mindset.
As these barriers fall, they need to be replaced with other methods of protecting data. Gartner recommends “a formal education program that embeds this knowledge into all employees that is tailored to different audience profiles” Keep in mind, however, that the “security policy” document with vague examples that may or may not be actionable by the user isn’t necessarily the ideal way to pull this off. Timely, actionable information delivered to the employee on an ongoing basis is a better method that helps to reinforce appropriate actions over time, not just in the employee’s first week on the job. Additionally, monitoring mechanisms can help to identify non-compliant employees in order for IT to help educate them on the appropriate use of company assets.
At Bitglass, we believe strongly in the people-centric approach to SaaS security that Gartner is espousing. Given that many organizations are already at least partially down the path of providing users with freedom and flexibility, it seems inevitable that this approach will gain more popularity in the near future. Bitglass’ technology purposefully balances technical controls centered around data security with functionality that reinforces employee awareness and provides monitoring mechanisms to help close the feedback loop.