AJAX is the latest craze in online development tools, not withstanding ruby, and as simple and wonderful it is to have webpages (gmail.google.com) not refresh repeatedly this does raise a concern. My security-compliance sirens are going off the more I see online repositories or enablers for online development. The trend, even with Microsoft Office, is that the era of purchasing software packages that you own (own being a relative term in this modern EULA world) is ending and the ASP model for sales support software, accounting software, email systems, and now online word processing is taking over. This leads me to two points (and I am certain there are many more…); one, as we were rightly concerned with back office main frames being put on the web, why are we not as concerned with our IP (intellectual property) being put onto other servers in other countries through these ASP models; second, how does this displacement impact our duty as security practitioners to meet our regulatory and compliance requirements?
In the beginning of time (again, relative) all the data of an organization was stored on big iron in the back room and everyone could enter data through terminals. Then we were given a great gift (the Internet), and we moved all of the data from mainframes onto cheaper, more interactive (inherently less secure) systems and made them publicly available. Well, privately first and then we realized automation and enabling clients to input their information was WAY cheaper. At this point, all the data that is ours is still within our control, on our servers, and operating within the business controls we (security professionals, auditors, management, and the board) accept. Now we are seeing the trend again shift to fully online systems where companies only pay a subscription, or the service is for free (until VC funding runs out).
Back office operations were one of the first with companies like SalesForce.com and Netsuite.com, and these systems were given all our data and we interact with them. These companies provide a service and replace the big software packages that companies would have to purchase. The latest twists are sites (leveraging AJAX) that provide the workspace to create IP. Sites such as AjaxWrite.com provide an interface where anyone can write a word document (yes, Microsoft Word) and save it in a compatible fashion. The challenge here is – who owns this content, how is it protected, and if it is online are they saving a copy? Also, beyond the disclosure threats of creating documents over insecure (unknown) systems, how do we as compliance requirements state – ensure that the information is retrievable for e-discovery?
Thoughts on minimizing the likelihood and consequences of using these types of systems:
- Controls, controls, controls – Be sure in the SLA with the vendor that you have the right to audit how they manage your data. If possible, request they provide a full SAS 70 Type II and confirm that the controls tested were relevant to how they use your data.
- Encryption – Verify that the site permits only top tier encryption strength through certificates, that are valid / up-to-date / and are signed by a higher authority.
- Authorization / Authentication – Confirm the site requires authentication to access your data, and confirm that the user provisioning is secure. Verify the help / support desk of the vendor doesn’t reset passwords without proper identification, and request a regular (90 days) report of accounts, activity, and strength of passwords.
- Deny – The easiest thing to do is eliminate the ability for people to expose IP to sites that enable content creation beyond the control of the business safeguards. This cannot be done by disabling AJAX or JAVA, but instead requires a strict policy to convince the employees not to use these technologies. Of course, adding a good DNS / IP address block wouldn’t hurt in discouraging this type of behavior.
To summarize we have Google saving all the emails, searches, and such that happens on their systems (not disturbing until they get subpoenas). Websites such as AjaxWrite (and Google’s latest acquisition and competitor to AjaxWrite www.writely.com) are enabling our employees to create (be productive) content anywhere in the planet with no means of recording or safeguarding this content. While there is guidance on how to handle retention from the Sedona Group in their excellent brief titled, Best Practices Guidelines and Commentary for Managing Information & Records in the Electronic Age, there is not enough precedence set in court to absolutely state how to handle content developed online. So, the question of the hour is, “How shall we maintain controls in an environment that exists only by not having them?” A good question for another time…
James DeLuccia IV