Financial Daily from THE HINDU group of publications
Friday, Oct 07, 2005
News
Features
Stocks
Port Info
Archives
Google

Group Sites

 Opinion - Human Resources


Managing knowledge security

Tharun Kumar

SOME TIME in the 1980s organisations woke up to the fact that employees no longer joined a place to retire from it.

With this came the realisation that if employees were not bonded to an organisation for life, the firm needs to put in place mechanisms that capture the knowledge they created.

"Knowledge is a fluid mix of framed experience, values, contextual information and expert insight that provide a framework for evaluating and incorporating new experiences and information," says the knowledge management gurus, Davenport and Prusak.

It is recognised that there two types of knowledge — Tacit, which is the uncodified knowledge in employee's heads, and Explicit, which is codified but easy to `lose'. Usually the latter is stored in specialised KM systems.

Knowledge became a buzzword and most global corporations boast a Knowledge Management Head. Indeed, as competitive pressures increase, good KM practices become the hallmark of global leaders. But beyond merely capturing knowledge, leveraging it for getting a competitive advantage is where the action is. How do you secure KM systems?

The Threat

Knowledge management attempts to collect and save structured and unstructured knowledge assets scattered across the organisation so that there can be seamless transfer of information within the organisation.

Therefore, an efficient KM system creates a "safe or locker" of your most valuable assets. But, now, though knowledge is easy to access, it has also become easy to be taken or stolen away. Disgruntled employees, competitors and hackers are perhaps the three main threats.

Securing KM systems is a challenge. This is because employees need to feel that KM systems are ubiquitous, easy to access and share.

Therefore, unlike in ERP (enterprise resource planning) systems, a fine balance needs to be struck between controls and accessibility. The fine art is to deploy an invisible form of security that does not hamper access in any way.

Here are a few steps that organisations can take towards securing their knowledge repositories.

Intellectual Property

Often times, intellectual property is more valuable to an organisation, than its physical assets. From a legal standpoint, there are four types of intellectual property — patents, trademarks, copyright, trade secrets. IP registered in one of these categories is protected by law and cannot be copied/claimed by anyone else. All important documents or artefacts kept in the KMS should be IP protected.

Secure network

Securing your network is the first step. A dependable, secure, private, fault tolerant network ensures real time processing and prevents release of unauthorised information. This combined with trustworthy users who provide right information and protect sensitive information is the foundation for a secure KM system. A few of the `must dos'.

  • Create a layered security architecture: In medieval times, castles did not rely on just one type of defence.

    They had moats, outer and inner walls, scouts and patrolmen, all in an effort to detect and protect against potential threats. This idea is the same with network security. One needs to provide as many security layers as possible.

    Among the obvious are hardware layers such as router security and firewalls. A good layered security approach should also include security education, penetration testing to assess current security posture, vulnerability assessments, applied policies and procedures within the organisation and system maintenance and patching.

  • Implement Intrusion Prevention Systems: Traditional IDS (Intrusion Detection Systems) based on signature recognition used to secure the IT Infrastructure are not good enough for KM Systems. Needed are application level Intrusion Prevention Systems. New attacks that signature files do not recognise will breach the traditional IDS.

    That was why in January 2003 the Slammer worm spread so quickly around the world, slipping past signature-based defences and reached millions of most vulnerable hosts within 18 minutes.

    The Intrusion Prevention System loaded on the KM application first profiles the system before protecting it. During the profiling phase, the IPS can watch the user's interaction with the application and the applications interaction with the operating system to determine what a legitimate interaction looks like.

    After the IPS has created a profile, or policy, of the application, it can be set to enforce it. The Intrusion Prevention System continuously monitors user patterns, identifies any suspicious activity such as hacking attempts and takes corrective measures such as blocking the user.

    Ensure authorised access

    While employees obviously need access to the KM system anywhere, anytime, there has to be a robust system to monitor this remote traffic. Ideally only authorised users should pass through the secure connection, firewall and the Virtual Private Network to access the KM system.

    End-to-end security needs to be ensured through data encryption, strong authentication, fully integrated access control measures and all user activity logging.

    Converged physical and logical security

    You can implement watertight information security systems but how effective will the safes or vaults be against a burglary attack? Are any security alarm systems used to protect your knowledge? Physical security risks should be mitigated through zone-oriented implementations.

    Zones are physical areas with differing physical security requirements. The security requirements of each zone are a function of the sensitivity of the data contained. KM Systems should be in the highest security zone.

    Traditionally Physical security teams and Infosec teams run their operations separately with little team effort. Many organisations worldwide are implementing converged physical and logical security. The benefits are alignment with the organisation's security business plan, higher visibility from senior leadership as one individual/team has ownership, single point of contact for employees to report incidents and ask questions, and one budget for all security activities.

    Digital Rights Management

    If an intruder overcomes all the above mentioned defences, the last gate is Digital Rights Management. DRM is a software that sets specific policies for determining how the content is used, by whom, and for how long. It helps protect the information even after it has been accessed or delivered.

    Information owners can define exactly how the recipient can use the information, such as who can open, modify, print, forward, etc. Imagine the frustration of the hacker who can read the confidential e-mail but cannot forward it or print it?

    Alongside setting up a knowledge management function, organisations need to build a knowledge management culture and choose the right platforms, to secure the KM systems.

    (The author is Head, Knowledge Management at ICICI OneSource.)

    Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

    • Share Infoline Tata Safari Dicor

    Stories in this Section
    BIMSTEC high on energy

    Who funds Indian industry, why it matters
    In the interest of filling corporate coffers
    US occupation of cyber-space continues
    A brief history of development economics
    Exchange rate mechanism — A new talking point at the WTO
    IAS forever?
    Managing knowledge security
    Union: A most potent social insurance
    BPO blues

    The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription
    Group Sites: The Hindu | Business Line | The Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |

    Copyright © 2005, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line