Some policies, procedures and measures can be counterproductive when it
comes to protecting emails, voicemails and communicating of large data files,
contends Steven Brower of the law firm Buchalter Nemer.
Employees are allowed through an office entrance, with electronic card access control identifying them. Security or reception checks visitor credentials before allowing them in. For some facilities, bags and mailed packages are checked for everything from explosives to white powder.
But what about email, faxes, voicemails, electronic documents and large digital files which arrive at and are sent from enterprises? They all contain information that can potentially harm an organization or its reputation. In such electronic exchanges, there is increased need to authenticate the sender and the receiver as well as the unchangeable content.
Welcome to a new security headache: the need to identify and authenticate the flow of information to and from organizations in terms of the content as well as the sender and receiver. The job makes a card reader seem like yesterday’s AOL.
The challenge: Is there a way to routinely deliver documents, files and messages in a simple and secure manner within common workflow processes? With today’s government regulations, compliance issues, corporate policies, sophisticated cybercriminals and an increased awareness and need for security, many existing file delivery methods are no longer suitable for sending information. Adding to the challenge are the sometimes security complexities that ironically can add more vulnerabilities as employees, contractors, collaborators and clients discover “Post It Note” like solutions as an end around to confusing procedures, difficult passwords and too many computer clicks before an email or file is securely sent or accepted.
Spotlight on Message Delivery
The bottom line – many existing file delivery methods are no longer acceptable, contends Bill Ho of Biscom, a new-age security firm which enables users to deliver documents, files and messages in a simple and secure manner.
Ho points out that security must be part of the routine workflow when it comes to email, faxes, documents and large digital files. Who is actually receiving a communication and can the enterprise prove it? When it comes to compliance, internal or external auditors will be seeking proof that communication of specific information has been reasonably protected.
One example is Rockland Trust Company, a wholly-owned subsidiary of Independent Bank Corp. of Massachusetts. The bank provides consumer and business products and services through its more than 60 retail branches, 10 commercial lending centers, five mortgage banking centers, and four Investment Management Group offices. A major security challenge is protecting customers’ personal identifiable information when sending data. There are many banking regulations that dictate how such data as account information and Social Security numbers need to be handled.
While the company has a secure email application, it is not sufficient for sending large files. “The size of files that we needed to send to customers, partners, vendors, law firms and appraisal companies was much larger than our email attachment limit,” comments Dave Brown, information risk/security architect, Rockland Trust Company. Its method for sending large files was to burn the data onto DVDs and send them via overnight delivery. The company had security concerns about the sensitive data getting lost when being sent by courier. Also, many of the documents were time sensitive and delivery by courier service was not fast enough. Additionally, it was taking approximately ten hours a week for staff to manage this large file transfer process.
Brown’s organization now uses a secure file transfer Web-based application that enables enterprise-class large file transfer. Data transfer is secure, authenticated and delivered directly from point-to-point. Integrated tracking and reporting capabilities provide a comprehensive audit trail.
Collaboration Has Vulnerabilities
Many organizations today have on-going, everyday collaborations, which include sharing and transfer of sensitive information among companies and agencies. There are select trusted credentialing authorities to handle identity management and secure information sharing, often through PKI bridges. Public key infrastructure is a set of hardware, software, people, policies and procedures needed to create, manage, distribute, use, store and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority or CA. The user identity must be unique within each CA domain. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision.
Trusted third parties are used for certificate authority.
One-credential systems aimed at cross-organizational access can also impact physical access control. An example: Funded in part by the General Services Administration, which operates the U.S. Federal Bridge for inter-agency information sharing, CertiPath, according to the firm’s Jeff Nigriny, was tapped to design and oversee the implementation of a system that could overcome fragmented, expensive and vulnerable approaches to managing physical and logical identity authentication and access control. The system extends the proven value of PKI-based security systems for managing and assuring logical access control to the challenges of managing and assuring physical access control. The approach leverages PIV, PIV-I and Department of Defense Common Access Card (CAC) credentials issued by any valid issuer, as well Transportation Workers Identity Credentials or TWIC.
Nigriny suggests that PIV credentials in PKI mode at physical doors is the next big thing.
More broadly, Morey Haber of eEye Digital Security encourages enterprise security leaders to seek and use unified vulnerability and compliance management solutions that integrate assessment, mitigation and protection. For instance, such technology can support the CAC smart card for two-factor authentication, a compliance requirement for access to critical federal government computer systems and certain DoD facilities. The CAC enables encrypting and cryptographically signing email, facilitating the use of PKI authentication tools, and establishes an authoritative process for the use of identity credentials.
From Physical Doors to Computer Ports
Still, most solutions aimed at securing shared data do not relate to door controls.
Chris Callen of CD Callen, Westerville, Ohio, an insurance agency serving dentists nationwide, has Meana, a German shepherd for office security and protection. But when it comes to client confidentially, he depends on document security technology to avoid lawsuits and meet the requirements of HIPPA and HITECH, which mandate the handling of certain types of information. He uses a solution from DataMotion. “We secure email and attachments so that people can retrieve messages online in a closed, secure manner.”
While Steven Brower is still waiting for the evidence of someone intentionally intercepting an email from a sender to a receiver, he agrees that some protection measures may be so difficult, expensive or different from the routine that they could be counterproductive. “I am not necessarily a fan of encryption” for much of routine business communication, he relates. Brower is a member of the litigation practice group with the law firm Buchalter Nemer. In the area of intellectual property, he regularly handles matters relating to copyright, trademark, trade dress and trade secrets, including obtaining and resisting injunctive relief.
“There are some industries – healthcare and financial – where regulations mandate more careful treatment of emails, electronic files and faxes.” But for many chief security officers and their chief information officers, it is best to first gauge the level of risks and the types of threats, observes Brower. Even before technology solutions, “it’s a matter of having in place polices, consistently communicating those polices to employees and organizations with which an enterprise collaborates.” He does point out that even voicemail can be vulnerable since a growing number of organizations and individuals use technology that automatically converts voice to text.
When it comes to emails and data files involved in civil and criminal litigation, Brower sees that, in today’s digital era, the paper-based records retention schedules have changed as enterprises more quickly destroy electronic files as compared to paper files.
Electronic discovery or e-discovery is the other side of the coin when it comes to protecting emails and other electronic communications from illegal or improper use. As highlighted by the recent actions of the Securities and Exchange Commission relative to Goldman Sachs, certain internal and external messages can play a role in regulatory and court actions. E-discovery refers to discovery in civil litigation which deals with information in electronic format, also referred to as electronically stored information.
Six Steps to Deliver Files Securely
• A sender collects
files, documents and other electronic media.
• The sender creates a
"package" of files, optionally enters a secure message, and addresses
the delivery to one or more recipients.
• Recipients are notified of their secure delivery through an email
message with an embedded hyperlink.
• Recipients sign in
to an identified server.
• Once authenticated,
recipients can view the secure message and download files.
• The sender receives
an email notification that the delivery has been viewed.
No Paradise in these Dashboard Lights
As vehicles take on more operational computers and owners buy vehicles with two-way communications, Internet and global positioning gear, there are growing worries that cars, trucks and fleet vehicles are increasingly vulnerable to programming conflicts and failures, eavesdropping and even remote hacking that could create life safety situations as well as theft of intellectual property from corporate executive drivers, according to HD Moore, chief security officer at Rapid7. The bad guys are already “pinging cars,” he contends. In a 2010 IEEE Symposium on Security and Privacy paper, researchers point out that modern automobiles are no longer mere mechanical devices; they are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks. While this transformation has driven major advancements in efficiency and safety, it has also introduced a range of new potential risks. An attacker who is able to infiltrate virtually any electronic control unit can leverage this ability to completely circumvent a broad array of safety-critical systems. In addition, the two-way communication and Internet portals now being build into vehicles spotlight the potential threat of illegal or improper capturing of messages and large data files, adds Moore.