Security Manager's Journal: When technologies collide
- 14 January, 2013 11:04
- Comments
My efforts to protect sensitive company data recently got a boost when we introduced encryption for files and emails to several key groups, including the human resources, finance, sales and legal departments. I was delighted to see how readily many employees in those groups were adopting encryption, since its use means that files and email can be read only by the intended recipients. Then we ran smack into the law of unintended consequences.
Trouble Ticket
Encrypted emails can't be searched in the archive for e-discovery purposes.Action plan: Pull the plug on the encryption deployment until the conflict can be resolved.
A couple of years ago, we purchased an email archiving tool that automatically stores copies of all sent and received email, which was something that our legal department was interested in doing as a way to help it comply with e-discovery requirements. Now, whenever we are faced with an e-discovery request, whether it relates to an HR matter or a court case, we can run fast, efficient and detailed searches against the entire email repository.
Or rather, we could do that, until we started encrypting some of our email.
Last week, as it was looking into an issue involving license compliance, the legal department asked me to conduct a search of the archive for emails containing certain keywords. You see, the licensing model for some of our products hasn't been updated in years and therefore our licenses can be misused. Our sales contracts include language giving us the right to audit customers to ensure that they are using our products within the constraints of the license they paid for. Many times, we have to enter into litigation with our customers, some of whom then claim that our sales associates gave them permission to use the license in a way that violates the agreement. The value at issue in such disputes can rise to over a million dollars, so it's critical for us to have the ability to search our archives for keywords within the body of emails that would bolster our contention that no such promises were made.
But when an email is encrypted, we can't search it. That's why I was sitting in our general counsel's office today, explaining that our new encryption initiative was the likely reason we were unable to find emails beneficial to our company in this particular compliance investigation.
We decided that we were going to have to step back from encryption for now while we look for a way to decrypt email messages before they are copied to the archive tool.
I'm in full agreement with that decision, but it doesn't make me happy. That's because the pilot deployment had been going well, and now we have to push a new policy to our clients, remove the email encryption option and communicate the reasoning to current users. This turn of events doesn't make us look terribly competent.
Alternative Plans
But despite the awkwardness of the current predicament, I'm confident that we'll have things back on track soon enough. Right now, I'm looking at deploying an email gateway that would allow employees to place an email into a secure location to be accessed by customers and partners. Those emails would be encrypted only in transit and as they sit on the gateway awaiting retrieval. Once the email is downloaded, the encryption isn't persistent. Email retrieval is typically through a Web browser, so users will have to take an extra step. The aborted encryption program was more seamless, but this will at least give our employees a way to communicate securely with customers, partners and other third parties.
For the long term, I will begin to work with our vendor on options that will allow us to decrypt email before it's copied to the archive or enable searching through encrypted emails.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.
Join in the discussions about security! Computerworld.com/blogs/security
Read more about security in Computerworld's Security Topic Center.
Related Articles
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
-
Spiceworks' free management software gets integrated MDM
-
Opinion: Why national e-health is not for everyone
-
Opinion: Why national e-health is not for everyone
-
Opinion: Why national e-health is not for everyone
-
Opinion: Why national e-health is not for everyone
-
Clearing the Clouds for Midmarket Businesses
Cloud computing promises to help midmarket companies reduce cost and complexity in the IT equation – and gain the flexibility and agility they need to thrive. Yet charting a clear course to the cloud isn’t always easy. In this paper, we aim to clear the clouds. We examine different cloud computing models, discuss the types of requirements that each can best address, and consider what midmarket businesses should look for in a cloud solutions provider. -
Customer Success - Slater & Gordon Lawyers
Lawyers work hard, and they work fast. Any activity that takes their focus away from the task at hand represents lost productivity and lost revenue. Slater & Gordon Lawyers needed to filter spam and email-borne malware and provide high availability for email. Results from the business solution they chose include 250 hours of IT staff time reclaimed annually for other tasks, long delays in email delivery alleviated, reduced email-related storage costs, and email failover to the cloud in minutes, avoiding hours-long outages. Find out how they got these results. -
Top 10 tips for Migration
As users bring multiple devices to the workplace, IT departments need to have a single view of all their mobile devices. Find out how to build a secure and reliable management platform for next generation mobile computing across multiple platforms. Click for more!
Get exclusive access to Invitation only events CIO, reports & analysis. 
