Inspired by “How Anonymous Do Businesses Need to be?“
I recently had the opportunity to lend my thoughts around this topic and was included in the article. The article is here by Lora Bentley, who writes some interesting articles and I highly recommend reviewing her prior work. Below is her question and my response:
“…when and why companies (as opposed to individuals) use such technology as that provided by Tor or Anonymizer and…whether businesses find such tools to be valuable.”
The use of such technologies, bleeding edge on concept and application, have proven themselves over and over again. Consider the use of bitTorrent – where some companies are using distributed files to load patches across tens of thousands of systems with a small impact to the network vs. a standard Microsoft patch system. Also, there is the example of firms leveraging P2P for video transmissions within a Fortune 50 company to push training and corporate messages around the globe.
The use of such tools provide a level of security and are very valuable to organizations that deal in research and highly competitive industries. For instance, in the manufacturing space (a former life) we had the research, design, and test systems walled off with concrete and had strict access control rules. Today the public internet is heavily leveraged and end-users (researchers) operate around the world in some unsafe (Coffee shops, and certain Nations) networks where eavesdropping and monitoring are highly likely. The simple observation of an employee’s Google searches and frequent websites would be enough for corporate espionage specialists. In addition the usage of such privacy approaches is valuable for corporate research where the end-point servers are recording who/what are visiting, and this further eliminates an available avenue of information.
In the end, the usage of leading technologies within corporations will occur. The usage of Tor and Anonymizer (examples of only a few in this arena) provide exceptional safeguards for research and market testing facilities not widely available today.
Now writers do not have a lot of space and must keep a topic concise and digestible; however, I do feel like my response deserves a bit more expansion to ensure I am clearly understood, so I have provided it here for all to comment, question, challenge, and such.
What other technologies fit this category? How do we handle these around IT controls and within the PCI DSS space?
James DeLuccia IV