As you’ve probably heard or read in the news, there was a recent leak of some extremely sensitive Congressional documents through a file sharing service. This leak highlights some of the inherent risks in the use of such services for moving data between users. In the past, email has been the primary form of communication between users, however, email has it’s limits. The explosion of data and email traffic has forced many corporate email administrators to significantly reduce the size of email boxes and attachments that can be sent through the corporate email system. This has forced employees to find alternative ways of moving data.
File sharing services, such as Kazaa and Gnutella, have been used for nearly a decade to share music and other non-essential files between computers. These have been well documented as a potential security risk.
More recently, services such as Google Docs, Apple’s iDisk, and dozens more have started file sharing services. The value of these services lies in users’ ability to easily share data from anywhere in the world to anywhere in the world. That same ability makes these services as dangerous as some of the p2p file sharing services. If security is not set properly or mistakes are made in sharing the right files/directories, users can expose sensitive data to virtually anyone. Additional data exposures can also occur to those sharing computing resources such as hotel kiosks, family computers, and multi-user business machines.
How do we prevent these types of exposures? Let’s look at some of the options available:
Thou shalt not share data!
One of the first options considered is to not allow the sharing of sensitive data. To determine if this is the best option for your company, there are some questions you should ask:
- Has your company defined a classification for sensitive or confidential data?
- Has your company defined what data can and cannot be shared outside your organization?
- Has your company provided tools for you to share that data with others?
If the answer to any of those questions is NO, you should evaluate your policy and/or toolsets. It is important in today’s virtual “corporation” to share data with others, whether they are employees, contractors, or clients. Policies and tools should to be reviewed to ensure that you can meet the goals of your company so that you can support those needs without forcing your employees to seek a solution outside your company.
Stupid Users
Ask any Information Technology Security professional where their biggest risk is and you will find one universal answer: USERS! In most corporate cultures today, high productivity is valued and information security is viewed as a hindrance to that productivity. As a result, the highest producing users will almost always take the path of least resistance to problem solving, thereby presenting an increased security risk.
File sharing services are a perfect example of one of those paths. Technically savvy users are far less likely to turn to the IT Department to provide a service, but will simply use the same tools they use for sharing their personal files on the web to perform business functions in order to quickly and inexpensively share files with consultants, contractors, or other users.
While being solutions oriented and thinking outside the box is a prized trait in our most productive users, without an effective set of tools and services readily available from your IT Department, users will present an increased data security risk. Always keep in mind that the end user will not adhere to policies that are slow, inefficient, and detrimental to their productivity levels. The goal of any Information Security policy should be to keep the company’s data as secure as possible, while providing the tools necessary for your users to get their work done effectively and efficiently.
Digital Rights Management
DRM has been around for several years. Many felt that DRM was the panacea for all data security risks. The use of DRM in securing data does eliminate the problem with having confidential or private data from being “leaked.” DRM is quickly becoming the next security management nightmare, right behind PKI.
The complexity of managing DRM and the severe limitations that DRM has placed on media companies and data owners have forced all parties to re-evaluate the technology as practical. As a technology, DRM can help to control the availability of sensitive data, but the cost of managing that data is extremely high and just isn’t cost effective for most organizations.
DRM Lite aka Identity Based Encryption?
A new form of DRM is emerging. This form allows sensitive data to be transferred securely, and authenticated by the user receiving that data. That data is encrypted unless you have the authentication credentials. Think of storing a password with the data. This type of encryption is sometimes referred to as Identity Based Encryption (IBE). IBE allows any user to send data encrypted via an email. In the email are instructions for the recipient to retrieve or decode the message using a variety of different methods. In more automated environments, passwords can be generated based upon well known facts based upon information the sender already has such as address or zip code. While this isn’t PERFECT security, it does eliminate many of the risks for data being accidentally shared and viewed by those who shouldn’t have access.
Take a look in your environment? Review your policies; conduct a web audit on whether or not your employees are using file sharing services. Is your company supporting tools that allow users to send data securely? If not, they will find a way to do it increasing your corporate risk.
Related Posts- Security Posture Assessment - Key to a successful security program What is a Security Posture Assessment anyway? To put it simply, a Security Posture Assessment...
- Cheapest, Easiest and Most Effective Security - Security Awareness Training In my career I have been asked hundreds of times what single item is the...
- Flight 1549: A Blueprint for handling Security Incidents I was watching the 60 Minutes interview with Captain Sullenberger and his flight crew on...
Related Websites - Frequency & Monetary Analysis For Subscription Based Services
- A Digital Freestyle Touchtone Phone IP Telephony
- Working of VoIP - The Next Generation Phone
{ 0 comments }
John Sawyer had it right in his article in 
esigned and documented Disaster Recovery policy and procedure. If they do not, then I wouldn’t even CONSIDER doing business with that company. However, the real issue in any disaster is not whether or not they backed data up, but how fast can they put YOUR data and software back online. You are now tied to their success. Make sure that they provide clear evidence that they TEST their procedure and know that it will work and more importantly, how fast can they recover.
Ensure that your SaaS vendor has clear policies and technologies to ensure that data that should be encrypted is and effectively encrypted. Simple hash algorithms for a record or row in a data table are not sufficient.
ur aspects of your business? What happens if they go away? What happens if you chose the wrong vendor and they constantly miss their SLA’s? Does your contract stipulate the ability to extract your data back from the SaaS vendor so that you can use it elsewhere? Work with your legal department to ensure that your contracts include appropriate language to retrieve your data given these and other scenarios.
As you can see, it is important for the Information Security team to be involved early in the process when reviewing potential SaaS partners. A great relationship with your legal team is also helpful. The proper balance of security and the financial savings of the SaaS vendor can really be a great asset to many companies during these turbulent times. Don’t get caught left behind when reviewing your SaaS vendors, ensure that you are leading from the front.
