Collaboration as a Threat vector
Since the world shut down earlier this year, those of us that could, have been working from home. This has resulted in us adopting all the various collaboration tools available in a big way and often without any consideration of the risks involved in doing so. Collaboration is great and is the basis for innovation and projects in companies around the world, not just for collaboration but often for communication with colleagues for those of us working from home and missing the normal humdrum and sparring with colleagues of our work place!
With collaboration in this context, I am referring to technologies like e-mail, chat, video and document sharing, what we used to call unified communication a decade ago. E-mail have been a threat vector for decades as we all well know, but as the work force becomes more and more distributed, a trend that has only accelerated with the onset of Covid-19, the rest of these communications tools are becoming more and more business critical, making their security something that should be of the utmost importance to any company relying on these tools. Of course the security of the home office is an important factor in this as well and for that I recommend you read the excellent article by Thomas Ehrlich called: Home Office: securing the new remote work, you can find that article here.
If we disregard e-mail as the well-known threat vector it is, then why is collaboration a threat to the modern enterprise? When we collaborate, even if it is just with direct colleagues from the same organization, we are typically sharing files with one another, or working in these same files as part of whatever assignment/project we are part of at the moment. My focus in this article will be on these files, but that does not mean that the risks to voice or video communication is any less important in a collaboration system, since information shared in voice and video can be, and usually is, just as important as the information in files.
I am going to use two different vendors for my examples in the rest of this article. Microsoft and Cisco. Microsoft, being the most prevalent vendor in the desktop space and Cisco being amongst the biggest in the network space. These are also the two vendors that I have chosen to specialize in, but I am sure that the recommendations I give in the rest of this article, will apply to other vendors as well.
Collaboration Platforms
Microsoft have their Teams application for collaboration purposes and this platform is an excellent tool for that purpose. Teams integrates with SharePoint for file storage and management and you can share files and collaborate on these files inside of Teams. Note the word share in the previous sentence because sharing can be done with internal partners, inside of the organization, or it can be done with external partners. The sharing of file outside of an organization is not necessarily something bad, we all do it all the time, but this sharing is an inherent risk in a collaboration system, not just the Microsoft one.
Who are we allowing to share internal files? Who are they allowed to share the files with? What is the external partner allowed to do with the files? What files do we allow sharing of? All these questions need answering, if we are to collaborate in a safe, secure and compliant manner. Remember that collaboration is not just done with day to days issues, but in equal amounts for sensitive issues or product development, which should not be shared too widely, or outside of the company! Much info can be lost without a good governance program guiding the use and maintenance of a Teams rollout in an organization!
Cisco have had collaboration systems for many years. Historically these systems have been created around video conferencing and IP telephony, but in recent years this has been expanded to include chatting and file sharing as well. But the exact same questions need asking, as for the Teams solution from Microsoft. Who can do what to which files and with whom? At any time where we are collaborating or sharing files, we should include in our approach, a thorough risk assessment and regular reviews of the systems in question. This goes for any collaboration system, regardless of whether they are from Microsoft or Cisco. The network perimeter has been lost with the onset of could computing, but with collaboration this trend is accelerating, making the control and governance surrounding these tools business critical!
Recommendations
So, how do we advise or our customers and implement collaboration systems in our organizations? For Microsoft, the answer I typically give is Azure Information Protection, or AIP for short. With AIP we can tag and classify files and control what employees or partners can do with these files as well as control the sharing of the files. AIP can provide any organization, that utilizes AIP correctly, with a level of security and information governance benefits that cannot be overstated! I know I sound like a fanboy here, but AIP really can provide our organizations with an excellent level of security for our files. AIP can even integrate with 3rd party DLP solutions, which can use the tagging/classification on the files in their decisions for how the files should be handled by the DLP solution.
The caveat to AIP, you knew this was coming right? AIP cannot be implemented by IT themselves! The business needs to be involved in how files are tagged and how files are classified. IT cannot know which files that HR are using should be tagged or classified. The same goes for finance files and all the other departments in a modern organization. The business must create the tags/classification that the business needs and here is where many a project crash! The business is busy with the business and does not necessarily understand the benefits that can be gained from information tagging and classification. An AIP project must be anchored at the highest possible level in the organization, preferably at the C-level, in order to be successful. Without that level of sponsorship and pressure, the various business units will not take the AIP project seriously.
I know there are tools out there that promises to create automated tagging and classification on files and Microsoft has their own roadmap that includes such a tool and such a tool will make sense in many cases, but it does not remove the need for the business to be involved with the actual classification of the information. These tools can remove a lot of the labor involved in classifying the older information, regardless of the location of the information, but a successful AIP project must achieve buy in from the various business units.
Tom Madsen
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.