The bank, after an extensive research process, turned to Workshare, a global information security company whose Workshare Protect product conducts content analysis and secures confidential information on laptops, desktops and mobile devices. Standard Chartered info security chief John Meakin says the bank is still only in the beginning phases of deployment, but that is by design.
What was the initial problem that led Standard Chartered to look for outside help?
John Meakin: We, like any other major corporation with a diverse deployment of IT, have gradually realized over the past four, five years that we used to have business critical information in electronic form sitting inside a traditional application space, and by virtue of that we were reasonably sure as to where the information was in the first place, and we were reasonably sure about what uses were made of that information, because that was all coded into the application.
The realization is that has increasingly become less and less an accurate picture of the way the business uses information. The bank realized this was going on, we realized our traditional security models weren't responding to it and we said, "What do we do?" If you've been in banking for a fair time, as I have, your first reaction was probably to say, "Well encrypt all the information." Quite fair enough, but that is really picking up only a little piece of the problem space. What about email, why not encrypt all the email? Well, if you've ever tried implementing email encryption on a large scale, you know that falls over if not on the first hurdle, then the second hurdle in terms of practicality. And if you start encrypting everything in your business, you're bound to find that you're spending huge amounts of money.
So our thought process was that if it's not just about encrypting everything that moves, then what's it about? The number one requirement was having some way of finding out where this information was, since it has been dispersed over the years. The second requirement was, even if you knew where the information was, what are you going to do with it?
What led you to Workshare Protect?
We realized that actually what we wanted was a mechanism that not only discovered where the information was and apply the protection, but apply the protection each time the information is used, at the point that it's used.
The third realization is that you can't determine the value of any one piece of information and maintain the value forever. A great example is financial results for a business. Those results are highly confidential up until the point that you publish them to the world and then they are no longer confidential and never will be again.
All of those requirements led us down the path to look at tools like Workshare.
Where is the bank in this process?
We are not fully deployed yet. ...We have a projected final scope of 55,000. We hope to reach 55,000 deployed workstations by the middle of next year. But that is only part of the story. We initially will be deploying Workshare only to do discovery, let's call it silent discovery. Silent discovery means we are not involving the user and we are not going to offer any additional protection, in the beginning.
So we have a second phase, after the discovery phase, where we begin to talk to the user as the Workshare product discovers the information to ask that user the critical question, "Is this information really valuable right now? Do you really want to do this?" We're not going to stop them from doing it because the other key criterion here is that information dispersal throughout your organization happens because it's all about pursuing a profitable business. The last thing you want to do is put roadblocks on profitability. So we want to be very careful about the way we release the protection capability that Workshare provides.
Then there's a final step where we do actually use encryption to protect the information wherever it is used but we use it in a form that's called information rights management, with Workshare as the front end; Workshare as the tool the individual sees the information through. So we're right at the beginning of what is a journey between 2008 and 2010. So this is quite a long haul and it's a long haul because it's a complicated problem and because we have to learn our way through it.
What lessons have you learned?
The key lessons so far, and I wouldn't say we've learned all of our lessons yet, is that you have to involve the user in the decision as to whether something should be done with a particular piece of information because the user is in the best place to judge the value of that information at that particular time. ...If there's one thing that's a killer when it comes to deploying some of these powerful new security technologies, it's actually generating too much information.(c) 2008 Bank Technology News and SourceMedia, Inc. All Rights Reserved.http://www.americanbanker.com/btn.html/ http://www.sourcemedia.com/