The effective taxonomy versus redaction? This is a question?
Don’t ask me why, but my reading wanderings took me to the subject of redaction. I’m not going to knock it. I understand, from my very brief readings, that it is an extremely valuable tool in many organizations. The reason I started down this path was an editorial in KMWorld, ‘Protect Private Information through Redaction: Analysis and Recommendation’, that redaction software could solve (the word used was lessen) the woes of privacy exposures, specifically the author referred to PII, but also applied it to other privacy scenarios. I found this very interesting. And, very honestly, it did contain some good advice and insight into how redaction can assist in protecting PII.
There is one minor irritation in the article, which of course I need to address. Well a couple, but only one major one. The sentence is, “An effective taxonomy the [sic] selects only documents with risk raises cost/effectiveness.” I beg to disagree. Security surveys are (finally) quick to identify that a majority of data breaches are caused internally, either by accident, or maliciously. According to Ponemon/IBM, the cost of an exposure has risen 23% in 2015 and averages $3.79 million. Yes, that’s per event. Now, to be fair, the size of hacks, data breaches, is growing astronomically, so the average is a somewhat skewed number. However, we would be delighted if an organization paid us $3.79 million to buy our software and build them a taxonomy. Trust me.
Most security software identifies PII or any type of regular expression, not exactly earth shattering. In the perfect world, an effective taxonomy would be easily implemented and maintained. It would enable the organization to define information that is only confidential to them, such as patent information, financial information, customer or competitive information, as well as any regular expressions. This confidential information could consist of keywords or phrases. If phrases, the effective taxonomy would also identify documents ‘about’ the subject, even if the exact verbiage was not found within the document. You would not have to make a copy of the redacted file, keeping the original and the redacted file (that would be quite a hefty bill if you had millions of documents stored on-premise and you would still have a security hole). Instead, with an effective taxonomy, you could secure the file, remove it from search, prevent portability, or whatever you wanted to do with it. With an effective taxonomy you could, if you choose to, eliminate any end user interaction (and tagging) at all. A Subject Matter Expert, or IT professional could easily add, change, or delete taxonomy rules as the organization changes.
With an effective taxonomy, you could be one of many organizations who hasn’t had any breach or exposure for almost a decade.
Welcome to our world. Not quite perfect, but pretty close.