Digital security begins with data management

Reading Time: 3 minutes

BitDepth#1001 for August 11, 2015

Members of the Microsoft Digital Crimes Unit work in a forensics lab in the Cybercrime Center. Photo courtesy Microsoft.
Members of the Microsoft Digital Crimes Unit work in a forensics lab in the Cybercrime Center. Photo courtesy Microsoft.

The remarkable story of a confidential memorandum regarding a potential terrorist threat being circulated on social media within hours of it being issues from police headquarters in Trinidad and Tobago caused citizens no small disquiet.

This was a document that alleged a plot against Prime Minister Kamla Persad-Bissessar by an organisation with a proven capacity for insurrection in this country.

That memo, photographed and circulated widely, suggested serious problems with the way that information is shared and managed within the T&T Police Service, but it isn’t a problem that’s unique to a police force or national defence services, according to Roberto Arbeláez CISSP, CISA Security Program Manager for Microsoft Latin America.

Arbeláez started working in the security sector at 16 while at university and has 20 years of experience in working with security solutions in most countries in Latin America, creating solutions for both the corporate and public sectors.

“It’s a problem that crosses industries,” he said in an exclusive Skype interview.

“It’s the same issue for police officers, in telecommunications industries and in banking, privacy and security are basic issues that CIOs in large organisations have to address.

“Solutions have been in place for decades which address those concerns. In the seventies the US commissioned a custom solution to secure communication at the Pentagon.”

“That process is now much easier to implement and manage because of the technologies that the cloud and mobile have introduced.”

It’s now possible, Arbeláez explained, to layer security solutions on top of cloud based distributions.

The technology allows administrators and users to set permissions that limit who can view a document to a very fine-grained level. It’s possible to have a secured file living next to personal information with complete control over who can view each file.

Security measures can block documents from being distributed digitally while allowing full access for viewing by authorised users.

Microsoft, Arbeláez noted, can secure voice and video communications between users and can fully encrypt communications within Skype, the company’s consumer level VOIP solution.

It’s an industry, he noted, which has seen the deployment of significantly improved security communications options over the last three years in particular.

Most of the software industry, including cloud providers are very aware of the need for security, but for Microsoft, it’s one of the top two design imperatives.

“For most countries, the greatest challenge is making the political decision to implement those solutions,” Arbeláez said.

Other issues arise with the quality of implementation of these systems, and the commitment by administrators to keeping systems properly organised and secured.

There can also be resistance to moving analog based data to digital formats because of the perceived security of analog distribution.

“Our products are among the most secure and are more than adequate for implementation in security sensitive scenarios,” he said.

The process begins with asset inventory and classification, which requires customers to organise their documents and communications channels in alignment with their processes and culture, and it’s something that’s done internally because of security concerns.

“This is one of the most tricky parts of the process,” Arbeláez explains. “It generally can’t be done by outside vendors, and the process can take between a year and a year and a half, we’ve found.”

“Once that’s done, the easy part is to implement the communications and document management systems.”

It’s a process that can take between three to six months, depending on the complexity of the classifications that have been created by the customer.

Implementations take place in stages, with communications being the first.

A Skype based installation can take around three to four months and a Sharepoint installation for document distribution can take a couple of months.

A full enterprise or government level installation by Microsoft can take up to 18 months to complete, but it’s done in phases.

There can be a lot of reasons for not doing it, but it’s Microsoft’s experience,” Arbeláez said, “that solutions implemented using technology are safer and more resistant to efforts to abuse them than paper based systems.”

“Something like the distribution of a picture of a document would not happen in an organisation that has implemented a digitally secured environment.”