Organizations differ in the amount of control that is necessary and appropriate for information circulating among people who work together.

In some organizations, it makes sense to maintain a liberal policy of openness and sharing of corporate data; the philosophy behind such openness is that information exchange can lead to unexpected benefits well beyond the risks of sharing. Entrepreneurial startups with small groups of enthusiastic, creative people collaborating closely on new ways of doing business can be ideal places for a permissive security posture based on the need to conceal rather than the need to know.

On the other hand, for organizations with highly sensitive data pertinent to limited subsets of employees, a more restrictive need-to-know posture might make more sense. Controlling access to information within an organization while fostering appropriate information exchange by authorized personnel are conflicting challenges for enterprise security managers.

I recently received a white paper on this subject from Secureware entitled “Closed Circuits for Information: 360-degree Data Protection for the Enterprise” and found it to be unusually well-written and informative.

The Secuware Security Framework (SSF) is an add-on for the Windows operating system. According to the white paper, it offers strong identification and authentication coupled with whole-system encryption that can be extended to network devices and removable media. Some of the significant features I noted include the following:

* Pre-boot authentication that is resistant to typical bypasses such as booting from alternative media;
* Whole-disk encryption with an additional performance overhead of only 0.15%;
* Controls over application execution using white lists;
* Extensive security-management functions for policy definition and user configuration;
* Granularity extending to individual devices such as specific flash drives;
* User profiles that can apply to individual users or to groups of users in specific functional areas (e.g., departments or branches);
* Easy definition of restricted subsets of information exchange equivalent to subnets on a partitioned network without having to change network topology;
* Entirely client-based - no security servers to manage;
* Centralized security-policy administration for all systems on a network.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.