If you’re responsible for Information Security in your organisation and I told you that your users will violate your hard-grafted corporate IT security policy and surrender their usernames and passwords to an external uncontrolled website, you might think I was confused.
You might spend time reassuring yourself of the desktop and laptop security mechanisms that you’ve got in place to secure your users against malware and phishing attacks. Then you’d remind yourself of the comprehensive IDS/IPS solution and perhaps it’s reassuringly-expensive data leakage prevention features (even though you hadn’t quite managed to integrate that into all of your documentation sources).
But beyond that, you’d take comfort in the password expiration policy that ensures users change passwords regularly and often, and the high-entropy password content and repetition prevention policy you implemented to ensure that users don’t use easy-to-guess passwords.
You’d be disappointed to learn that the threat vector I am talking about doesn’t require the ability to execute code on your controlled PCs. Indeed, it doesn’t even need users to be hoodwinked into clicking on links in emails. They will voluntarily offer their login credentials to an external organisation.
Before you click away, dismissing me as a crack-pot, let me try to explain. For those who haven’t seen it, Sanebox http://www.sanebox.com/, claims to tidy up and organise your email inbox, assessing the content of messages, your reply patterns, the longevity of threads and other complex factors in order to determine whether a given email warrants a place in your inbox.
All it asks for in return is that you submit your email address, username and password into it’s cloud-based web interface and give it some time to connect to your email system (because you had to open up the OWA interface on your Exchange server for all those pesky Android and iPhones, right?) and whittle it’s way through your inbox, sorting out the wheat from the chaff in order to leave you with an inbox to-do list that is remarkably compelling in its tidiness. Indeed, statistics for my own trial of the system suggested I could save 40 minutes a day.
Sanebox doesn’t delete any email. Rather, it re-organises it according to what it calls “inbox worthiness”, a curious term that seems to define someone who normally says something that might spark or invoke a reply. Other messages, such as automated reports, newsletters, bulk emails get filed in an folder to check when your smartphone has you as a captive audience.
This “QoS for the inbox” proposition is very similar to GMail’s Priority Inbox feature, and it’s compelling for most enterprise email users in organisations where respect for the cost of reading an email is rarely understood. The risk/reward equation – something that at CIO-level is often very difficult to quantify and evaluate – is much simpler in the eyes of an average end-user. “A few clicks, type my email address, password, and my life is easier”. Even if he’s aware that his trade of password for organised inbox has breached the corporate IT security policy, he probably feels it’s justified. And he can even overlook the post-trial subscription fee, because the service is so effective.
So what can the IT security professional do to address this, and help enforce the corporate IT security policy that is there to make everyone’s life safer? I’ve had the opportunity to consult several experienced security professionals on the matter over recent weeks – I thought it best to, before I confessed my own lapse of judgement! – and I can share those views here.
The overwhelming initial response was one with which you might be intimately familiar, if you’ve worked in or with the IT security industry: “How do we block it?”
- “We can block it on the corporate Internet firewall gateway, right?” “Oh, but users need to connect to the mail server from outside… Damn!”
- “We can enforce it desktop/laptop personal firewalls.” “Wait, there isn’t any software that runs on the user’s laptop. It’s all in the cloud!”
I’m not trying to make light of the problem that Sanebox causes for organisations with strict corporate security policies and businesses that rely on confidentiality and privacy. But I think it is important to realise that new cloud technology has made an application that would previously have been best implemented as a client-side plugin much more effective as a Software-as-a-Service cloud platform that “just works” and doesn’t bother the IT manager with hassles about co-location of server, software management, upgrades etc.
As a result, the enterprise IT security industry needs to be more creative in how it responds to this apparent threat. The answer cannot be to prevent people from using the service. We’ve learned through experience how users will circumvent enforcements if they are too hard or unreasonable. Instead, the answer needs to be one that addresses how the service can be used without the obvious downsides that exist today.
Some of the more constructive answers I heard in response to my enquiries centred around quarantining or localising the use of the email password. Recognise that it is now potentially an “exportable” token, so it should have a form that isn’t linked to all of the clever single-sign-on tools that would grant access to Windows domain shares and Oracle database platforms.
But I think the best answer I heard so far in response to the problem was the suggestion that involved establishing a “trust” mechanism with the external provider. The organisation grants permission for Sanebox (or presumably any other) to access the mail server on behalf of user X, Y, Z ,in order to administer their value-add service. Users can opt-in, and the enterprise can pay a per-seat tariff.
There will be those that still protest that sensitive corporate email is being exposed outside of the company borders. Sanebox has make some promises on how information is used and retained, and the Google Apps generation have long since acknowledged the equitable trade made in outsourcing email completely. But stalwart supporters of the enterprise IT border might reflect on the fact that sharing of sensitive data outside the organisation is commonplace in other areas. Consider commonly outsourced functions such as payroll, CRM with Salesforce.com, not to mention HR and recruitment functions.
In summary, cloud technologies will continue to frustrate our current understandings and assumptions of data security, and indeed data ownership. But we mustn’t be afraid to tear up the established rule-books on enforcing information security if we are to move with the times. A successful information security strategy must try to keep the user on-side, rather than going head-on with his perception of productivity for the sake of security.