In the IT and information security world, the need for Information Barriers or Ethical Walls is becoming more prevalent with the explosion of collaboration tools — in particular, Microsoft Teams. The term has quickly grown beyond its origins in financial services to encompass any policies designed to prevent certain segments of users from communicating with each other or to allow specific segments to communicate only with other specific segments. Despite the availability native Microsoft tools to address these needs, in practice they are very finite and don’t allow for collaboration outside of these groups. In this blog we explore the uses cases for information barriers, and how to design them to restrict specific collaboration, but with enough flexibility to allow other types of communication.
Origins of and Business Applications for Information Barriers
Traditionally an “Information Barrier” is a term used in finance for a system of controls and monitoring including, but not limited to, physical segregation of employees and restrictions on access to and flow of information to ensure that:
- Information relating to the Group and the Finance Documents (and related transactions) is not disclosed to any person who is or who is acting on behalf of either a Competitor or an investor or equity holder in a Competitor or who is engaged in any M&A or other advisory activity in relation to or on behalf of a Competitor; and
- Information available to any team or employee who is or who is acting on behalf of either a Competitor or an investor or equity holder in a Competitor or who is engaged in any M&A or other advisory activity in relation to a Competitor is not disclosed to any team or employee acting in relation to the Group or the Finance Documents (and related transactions).
Collaboration tools have quickly expanded the need for restricting collaboration of other types of information between individual or groups of individuals including but not limited to intellectual property (IP), regulated data including personally identifiable information and healthcare information (PHI), and more.
For example, information barrier policies can be used for everyday collaboration scenarios like these:
- Ensure users in a trader group do not communicate with the marketing team
- Finance personnel working on confidential company information should not communicate with certain groups within their organization.
- Prevent an internal team with trade secret material from calling or chatting in Teams with people in certain groups within their organization.
- Limit a research team’s call or chat abilities with a product development team
- Restrict collaboration between users in different geographical locations or subsidiaries to meet regulatory guidelines.
- Ensure files created by, for example, an SVP or higher is restricted to users at that level of the organizational hierarchy or above.
- Restrict the ability to block sharing of files via chat based on file metadata.
While this may seem easy enough to do using out-of-the-box tools, in reality they completely cut off communications between these groups in any scenario. For example, if you’re using Teams for company wide communications, and barriers are set-up between your traders and marketing teams, then your traders can’t receive the information because the policies say no communication is allowed between these two groups. The context of the communication isn’t considered, it simply creates a wall between these two groups.
The other limitation is that setting up Information Barriers in O365 requires an E5 license. And while many companies can benefit from them, not everyone can upgrade their license to access this useful, and in some industries mandated, capability.
Get Flexible Information Barriers Using Third Party Tools
Flexible information barriers are essential for productivity and ensuring you get the most out of your Microsoft investments. Fortunately, third party tools provide an affordable and flexible option for organizations that want the information protection capabilities afforded by information barriers. NC Protect provides capabilities for the configuration and enforcement of information barriers, as well as controlling business data within their Microsoft collaboration environment.
It provides the following add-on capabilities using the Microsoft investments you are already have to:
- Restrict specific types of collaboration between users/groups, but with enough flexibility to allow other types of communication.
- Granularly control of blocking of chat or files within Teams without complex rules.
- Control access in line with business rules for users from different operating companies or geographical regions beyond sole reliance on permissions.
- Automatically secure access to content based on the creator of that content e.g. files created by an SVP or higher is restricted to users at that level of the organizational hierarchy or above.
- Provide the data governance needed to control External/Guest access in Teams.
Let’s see what this looks like in practice.
Configuring Flexible Information Barriers Policies with NC Protect
Configuring Information Barriers within NC Protect is as simple as building out the conditions with which you want to control collaboration. NC Protect can use any data or user attribute as part of the condition that blocks chat messages or file attachments. A common use case is to prevent two groups of users from communicating. Simply map out the use case in the condition builder – the example in the image prevents Con_Mobile and Toso_Telecom from communicating in Team.
Unlike other solutions NC Protect considers users in the context of both the sender and recipient as part of the condition. This allows greater flexibility to control the communication that is possible e.g. one-way “broadcast” messages can be sent or additional controls can be placed on one group e.g. allow HR to send files with PII to users but prevent others from doing so.
In addition, NC Protect rules and protection can also be applied at a more granular or scenario based level. Information Barriers that are too restrictive can severely restrict an organizations ability to work together. By applying rules to individual or groups of Teams or sites via NC Protect’s Security Scope feature allows the barriers to be tailored to the exact needs of the business, simplifying the roll out and providing protection that truly meets its needs.
The Teams or Sites membership of a Security Scope can also be controlled based on conditions, but we’ll leave a detailed explanation of that capability for a later post.