Recently, whilst working on a customer proposal around introducing collaboration capabilities within their environment, I was struck with the security implications of exposing business critical information (data, documentation, strategies) to partners, suppliers and potentially random onlookers.
As the businesses requires greater flexibility and connectivity (as it becomes more time critical and complex), collaboration tools enable authentic and productive working relationships regardless of geographic or time zone differences (what I like to call Geo-Temporal restrictions). Collaboration encompasses a broad range of tools that enable groups of people to work together including wikis, web sharing, video & audio conferencing, instant messaging, blogging services and even email.
Just as the market has become more flexible and connected, so too has the workforce. The evolution of the personal workspace has seen the progression from mobiles to laptops to smart devices, allowing people to communicate wherever and whenever they wish.
Whether it be a corporate wiki or a Microsoft hosted instance of SharePoint, collaboration isn’t something that is going to go away, and security zealots along with network and system administrators will have to concede (at some point) that people are going to start to use these tools, either by hook or by crook, and therefore should be prepared.
Criticality of these tools to businesses
Businesses are not only taking collaboration more and more seriously; today they rely on it to get things done.
Quote from “Meetings Around the World: The Impact of Collaboration on Business Performance” — conducted by Frost & Sullivan and sponsored by Verizon Business and Microsoft Corp via the Microsofts Press site:
Collaboration is a key driver of overall performance of companies around the world. Its impact is twice as significant as a company’s aggressiveness in pursuing new market opportunities (strategic orientation) and five times as significant as the external market environment (market turbulence)
What that statement means is collaboration has a real impact and those that embrace it reap the rewards. What that translates to in the real world is “we need these tools now and don’t care what it takes!”.
Risk to the Business
Business data is exposed. This applies regardless of where the data is stored locally or *gasp* in the cloud. For the security focused of you, the principals around confidentiality, integrity and availability (CIA) are screaming out. For the rest, the questions are, how do you ensure that only those who should see the information are the ones who are seeing the information? How do you ensure that information shared via collaboration is not accidentallyor maliciously altered? And, will the information be available when you actually need it?
When you realise how simple it is for someone to start sharing your business’s’ innermost secrets, or how that urgent proposal is now inaccessible because the portal is down, all the benefits of collaboration come in to question.
Measures to reduce risk
There are a number of different measures that can be put in place to help reduce risk as well as increase the overall awareness.
- Security Policy
- Data Classification
- Restriction – Access Control
- Company provided and sanction tools
- Use a large stick.
I’ve loosly applied parts of the ISO27001:2006 framework to my measures (well, the bits that are generically applicable) and, depending on what is being used, more of the management framework could be applied.
It always starts with policy, but policy only gets you so far. As with any security policy, if it is too restrictive or just too complex , people will just ignore it and do what they want, or need to do. As Bruce Schneier recently pointed out in ablog post:
They know what the real risks are at work, and that they all revolve around not getting the job done. Those risks are real and tangible, and employees feel them all the time. The risks of not following security procedures are much less real. Maybe the employee will get caught, but probably not. And even if he does get caught, the penalties aren’t serious.
He goes on to say that unless you impose harsh penalties and make a public spectacle of the infringer, little will change. Collaboration tools add to the temptation for users to go around the system to get their job done. I personally have done and am currently guilty of this particular sin.
Data needs to be restricted and classified. More now than ever, you need to clearly define the data, what can and cannot be distributed or used in in this manner. If it’s being cached/stored externally, do you trust that facility and if so to what level? What do they do when you close that account? Is the information still kept?
Collaboration tools need to be able to authenticate (provide a mechanism to verify) participants in order to ensure that only the correct people are accessing not only the tools themselves, but the data within. These tools need to support the ability to restrict the functions based on role as you might not want the average user, say, accidentally sharing their desktop, be able to involve participants external to the organisation or even try starting up his own corporate blog.
Provide the tools
One of the simplest ways to stop people going around the policies and procedures and reducing some of the risk is to give people access to the tools they need. That way they can be controlled, logged and audited as required. Users that dont’ have access to the tools they NEED to be efficient at what they do, WILL use them anyway; regardless of the policies as pointed out above, people know the real risk is not performing. Simplistic examples are:
- Executives with BlackBerry or iPhones wanting to access their corporate mail now from unpoliced, uncontrolled decices.
- IT staff who bring in their own Netbooks or Laptops to be able to be portable and work on the road or from a cafe.
- Sales staff who use web collaboration and meeting tools, share documents and give presentations that do not have authentication mechanisms.
Accountability (Use a large Stick)
When an incident happens it needs to be dealt with and dealt with swiftly. Ultimately, unless people are held accountable nothing will get them “thinking” about the risks and acting differently. This goes for everything from classification and restriction of data, to using the tools.
I don’t think that this a complete list, it is just a subset of the issues faced. The funniest thing is the parallels when looking at utility computing, as collaborative tools these days are also more and more “Cloud” based.
There is certainly a lot more that could be added. Anyone care to add their thoughts?