Over the years, the responsibility for the maintenance and safekeeping of corporate electronic files and intellectual property has rested squarely on the shoulders of the information technology department. Keeping hackers out of the network and away from the company’s system was paramount and usually involved a myriad of software and hardware solutions. Internal users were generally afforded a higher level of security since most were employees who were already cleared for access.
As mobile devices became ubiquitous, the question of information security necessarily broadened. How could we secure data that was being accessed at any time, from anywhere? A user could literally walk out the door with important intellectual property. So, IT instituted restrictions on who could get to what information and whether they could download or print the files. This was accomplished through the use of formal document management solutions, restrictions on administrative privileges and end-user device monitoring programs.
New hacking approaches
Intrusion detection into networks has improved to the point that the “bad guys” have taken a different approach. The majority of successful hacks now occur due to phishing attacks, malware delivery through email attachments, and website redirection. This allows attackers to get access to users’ local machines, which are usually connected to a network. Once inside the local machine, attackers have access to anything residing on the machine or any accessible network share, including any downloaded or shared corporate files.
Once resident on the machine, these intruders can monitor and record user actions and passwords, can report back to foreign entities through encrypted messages, can wreak havoc on application processing, and even take over a machine entirely, as is often the case with ransomware. Trying to prevent these localized attacks has become the mission of many IT departments, but without the help of the user, preventing external access to local files is very difficult.
Corporate guidelines for information security
IT departments have issued many policies and procedures for safeguarding data and information on their networks and for local users. Larger organizations perform periodic audits of their systems, structures, policies, procedures and enforcement approaches.
Companies doing business with the U.S. government must comply with the regulations and guidelines issued by several controlling agencies. Because of its mission, the National Institute of Standards and Technology (NIST) has led the specification of how government information should be handled and secured. NIST Special Publication 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations) details many of the practices and recommended features of organizational information security. Over time, the guidelines issued by NIST have generally become de facto standards for IT security (even if the company does not deal with government data) and many organizations are completing NIST compliance audits.
In addition, many companies storing government data that also deal with foreign corporations or countries must comply with International Traffic in Arms Regulations (ITAR), which includes the movement of data and information as well as the sales of goods. ITAR regulations include the security and safekeeping of information while dealing with non-U.S. entities.
Access enforcement is key
A primary tenet of information security is access enforcement. Core security principles include the concepts of “least privilege” and “least functionality”; this means giving only the minimum access required to fulfill a role or function and nothing more. For files, this determines who gets to see, print, download, change, and distribute files, and under what conditions.
For most systems, these concepts are easy to implement, ensuring files are secure and utilized properly. But what happens when files are printed, downloaded or emailed outside the control of the corporate document management system? The organization loses much of its ability to enforce access once files reach local computers, whether workstations, laptops, tablets or smartphones.
Security does not mean stopping screen captures
There are clearly times when users require files for viewing. Once displayed on their screen, those images can be captured either through screen capture software or by taking a picture of the screen. There really isn’t a security technique that can prevent picture capture (though some highly secure facilities prevent individuals from entering the premises with a camera or smartphone with a camera). Until we can somehow transmit images telepathically, we’ll have to live with the vulnerability of individuals capturing screen images. The key, again, is to prevent people from viewing files they don’t, or should not, have access to.
Though image theft is real, it means the culprit only gets an image and not the underlying data that generates the image. The greater risk comes when files are downloaded, printed or emailed as attachments. Once on the local machine, the files can be moved almost anywhere, renamed, encrypted, or corrupted. Files that are emailed as attachments get even further away from being controlled. So, what is the best way to secure these files and not lose control?
File management at the server is the answer
A good method for complying with NIST and ITAR standards is to never deliver a file to a computer connected to the network. This means only providing a streamed image rather than the actual file to the user. By not delivering the base file, the file remains secure in the controlling system; the user can’t copy the file or put the file on a USB stick as the file does not reside on the local machine.
Additionally, force all printing to be done at the server, so only the print images are sent to the printer. This has the added benefit of being able to control who can print files as well as watermarking or stamping appropriate statements and legends on the prints (e.g., Confidential or Not for Release).
Don’t get fooled by systems that say they don’t download files for printing or emailing. Many of these systems download the file to a temp file on the local disk and then remove the file once the action is complete. This method of file handling does not comply with today’s information security standards as the file, even if only temporarily, is not being controlled while on the local machine.
Information security audits also help
In order to be sure a file management system is compliant with current standards an organization should invest in a NIST compliance assessment. This can be a focused review, just looking at file management, or a comprehensive, organization-wide audit of all handling of information, including physical files, information technology infrastructure, and corporate information security policies.