The great thing about working with a passionate team of professionals is the inclination to share information, techniques, and tools – a cycle of constant improvement. I was recently in the middle of one of those discussions when it turned towards a particular application designed to capture notes. It wasn't the first time I’d heard the praises about this particular application. I also remembered that it had finally been released on my platform of choice, Mac OS X. I popped open the App Store and had it downloaded before the conversation even concluded, excited to explore the potential of the tool. Upon launch, I was immediately required to create an account so the notes could be stored in the cloud.
If you have a hunch that I was hearing alarm bells, you’d be correct. As a security consultant and assessor, I am required to keep good records for my own understanding and for evidence from our various assessments. The details provided often include confidential or sensitive information.
Being relatively new to our organization, I went in search of our policy for handling client data (sensitive or other classifications) and what appropriate locations for storage had been identified. I did the research online and discovered a few more interesting items. The Windows version could password protect at the file level. There was also a way to store notes on the network within our own enterprise structure. But I couldn't find documentation detailing how to force local storage.
I emailed our group requesting we discuss the security of this app on both platforms, keeping in mind that it’s up to security professionals to enable the business, not just be the ones to say no. In the case of a security consultancy, the business just happens to be security and vice versa.
While I waited for suggestions from my colleagues who had also begun to review the tool, I decided to start evaluating the risk. An informal assessment seemed appropriate given the situation, plus it would enable me to explain my concerns logically.
I previously mentioned the assets would likely include client data of confidential nature that would require more rigorous protection than lower levels of classification, such as publicly available data. Threats to this data started pouring into my head.
- Locally stored notes were at risk of accidental deletion or system loss.
- Wi-Fi connections could place system files or data being transmitted at risk.
- Cloud-based notes would have the same risks as well as potential threats from individuals or groups trying to mine a large database of notes for malicious purposes.
In a formal review, I’d want to make sure that I exhausted threats from all domains.
I then started reviewing this risk from a controls perspective. Our laptops use disk encryption and access controls. The enterprise storage option allows corporate IT to secure and monitor. Enterprise storage runs a lower risk of being accidentally left in an airport x-ray bin or stolen from a trunk.
Moving that data to a third party cloud means we lose visibility of security controls and may not fully know what types of controls are being used within the cloud storage environment. While large corporate clients might be able to contact someone to provide a formal risk assessment of these controls, my leverage as an individual user of a free application is limited. Likewise, vulnerabilities in the cloud environment from an authentication or system perspective are possible, but not easily identified. Similar solutions have seen breaches due to credential vulnerabilities as well as leaked data. As a result, we would be placing sensitive data onto a system without understanding fully the risk and knowing that loss of client data would result in lost trust and possibly revenue. This thought process reinforced my belief that we should, at a minimum, identify a way to store sensitive notes in locations where we knew the level of security matched the data classification.
Response emails populated my inbox and follow-up conversations began. Our security consulting team were all using the Windows version and storing the note data files on a secured partition on their laptops. Cloud storage was not required on Windows, but it was available as an option to extend the functionality of the app and mobility of the data. The lack of a local storage option on the Mac version (as well as an immature feature set) was not enough to prompt me to switch from my current solution.
New tools and applications are being introduced to your environment on a daily basis and many now involve remote connectivity and data sharing. As security professionals, we’re in a unique position to be the “early warning system” when we see processes or tools changing that could have an adverse impact to our security posture. This requires being actively involved with all departments throughout your company on a regular basis to understand the interaction with sensitive data, constantly reinforcing a process that includes continual risk assessment, and providing awareness of governance and how to securely implement the solutions.