IRM for CRM - Protection and Auditing for CRM Reports
By Martin Abrahams-Oracle on Dec 21, 2009
In a recent article on ComputerWorld, David Taber highlighted the need to "prevent key CRM data from walking out the door", observing that "Your employees not only have access to a significant amount of data, but also know what the data means and how to separate the marginal from the important." and that "Given the number of layoffs and the turnover of sales reps these days, the risk has grown."
David goes on to comment "If a user is allowed to run any reports, they can typically run almost all of them and export the results to a CSV file." - which they may then print or distribute as they choose. There are tools that can block the usage of CSV files, but actually you want to target just the ones that pose a risk.
Amongst the recommendations made to mitigate the resultant risk, it is proposed that an organization should "dramatically limit" the use of mass import/export tools.
The problem with this recommendation, and with the suggestion that you might block the creation of CSV files, is that while seeking to reduce risk it also reduces the usefulness of the CRM system to its users. The data export function exists to help employees make use of CRM data - to get their jobs done. The tension between security and usability is clear.
Within Oracle, we use IRM to address exactly this issue by sealing CSV files as they are created by the export function. This allows the employee to run whatever reports they need as usual, but protects the data automatically. This approach has no impact on any other uses of the CSV format - the protection is targeted on the files that constitute a risk.
The export files are sealed to a classification that allows them to be shared with other Oracle employees, but guards against accidental or malicious exposure to 3rd parties. As and when the employees leave the company, their rights are automatically revoked. Simple.
Sealing also addresses another concern raised in the article - the creation and usage of the export data is fully audited.