IT, Export Control and Information Security: Learning to Speak the Same Language
By Magnus Bjorendahl
I believe that there is a gap between IT organizations and export control managers-and that this is just an old story repeating itself in another area.
The story is the one where IT and business managers do not always understand each other or know the best way to support each other. Businesspeople-in this discussion, the export control managers-often don’t know what IT solutions exist to solve a specific business problem, or understand the cost, effort and technical challenge involved in delivering such solutions. Meanwhile, the IT organization typically doesn’t appreciate the broad scope and complexities of business needs-in this case, U.S. export and re-export requirements.
These problems are exacerbated by the fundamental communication barriers between the two groups. IT folks tend to have a technically oriented, “Bachelor of Science” way of talking and thinking, and the export control managers tend to have a business-oriented “Bachelor of Arts” way of talking and thinking. The only real way to address this problem is to overcome those communication barriers. Fortunately, the IT industry is working toward doing just that in a critical area-information security.
The Two Sides of Information Security
When I say information security, there are two types of security that I refer to. The first has to do with keeping vital information from leaking to foreign countries-an especially significant concern in the Aerospace & Defense industry. Regulations, such as the International Traffic in Arms Regulations (ITAR), establish rules requiring companies to obtain licenses and clearance before distributing information classified as ITAR-relevant to foreign nationals and foreign countries. Severe punishments in terms of fines and even imprisonment can be given to violators of those rules.
The second type focuses on protecting the company from the leakage of information to competitors; this is typically referred to as protecting your intellectual property (IP). These days, IP is a vital business asset, and often a key differentiator in the marketplace. The loss of such information to a competitor can do significant harm to a company. The reason I bring up the protection of IP here is because the challenges around it are in many ways the same, and a potential solution should be able to protect information from being illegally exported to foreign countries and from being leaked to competitors.
Today, simply managing the growing amount of information flowing through a company is a challenge in and of itself-and managing the security of that information is even worse. By itself, IT is not really equipped to manage these security issues; IT professionals usually don’t have a solid enough grasp of which business policies should be applied to what sensitive information-especially when it comes to the complexities of export control. Ideally, export control managers should be able to define the rules they need right in the system. They need a business language that works with IT.
Overcoming the Language Barrier
NextLabs, [http://www.nextlabs.com] an SAP software partner and developer of information risk management enterprise software, has created such a language-the Active Control Policy Language [http://www.nextlabs.com/products/acpl.htm] (ACPL). ACPL was designed to let users, such as export managers, develop information security rules and information-handling procedures with relative ease. Those users can assemble “components”-that is, familiar business terms-which are then automatically translated into a computer program language. For example, for the handling of ITAR technical data, export managers could define various types of rules in fairly straightforward language.
For access control, they might write:
- Allow only ITAR-certified users to access ITAR technical data from ITAR certified systems
- Notify when non-certified users attempt to access ITAR Project Info
For leakage prevention, they might write:
- Deny duplication or distribution of ITAR technical data outside of ITAR controlled project areas
- Deny duplication of ITAR technical data to removable storage devices
For data mobility, they might write:
- Deny user not in US Locations access to ITAR technical data
- Log when any laptop users duplicate ITAR project info
- Deny mobile or disconnected computers printing ITAR technical data
For export control, they might write:
- When licensed technical data is exported encrypt ITAR technical data
- When licensed technical data is exported, send export transaction to SAP Global Trade Services
Basically, with ACPL, export managers and policy experts can define information security rules and information-handling procedures on their own, without a lot of technical help. At the same time, NextLabs’ Compliant Enterprise solution can incorporate those rules and enforce them consistently across servers, document management systems, email servers, and endpoints such as desktops and laptops. For its part, IT only needs to define how the building blocks of the language-the component business terms-should be interpreted. For example, IT might need to determine where the ITAR technical data is to be stored, or the type of encryption program to be used when exporting ITAR technical data.
I would argue that without ACPL or some other automated common language, and the ability to automatically enforce defined policies, the information security issue around exports will always be a problem. IT and export control managers need to understand each other, and that means speaking the same language. Now, software can bridge that gap, and that will help us bring greater consistency and effectiveness to information security.
This is still not the complete story, as software such as NextLabs’ does not manage export licenses. If you would like to know more about how SAP, NextLabs, and IBM have worked together to built an end-to-end solution for managing exports of information, please read the whitepaper, “Enterprise Governance, Risk, and Compliance Solution for Information Export Control.” [http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a050483b-3365-2a10-99b1-d98b0044cff6]
Magnus Bjorendahl is an Industry Solution Manager for Aerospace and Defense at SAP. In this role, he is currently in the lead for building out the partner ecosystem (IVN) for Aerospace and Defense. Over the past couple of years, he has been working closely with partners such as IBM, BearingPoint, MCA Solutions, TechniData, NextLabs, and Lockheed Martin. Prior to his 8 years at SAP, he was an IT consultant for a consulting company in Stockholm. He holds a M.Sc. in Computer Science and Engineering from Linkoping’s Institute of Technology and is currently studying business part-time at Wharton Business School.