Information Security for Modern Enterprises

Transcription

1 Information Security for Modern Enterprises Kamal Jyoti 1. Abstract Many enterprises are using Enterprise Content Management (ECM) systems, in order to manage sensitive information related to the organization. This information needs to be protected from unauthorized users. The purpose of this research report is to investigate some of the security challenges faced by small and medium enterprises (SMEs). The first part of this research consists of identifying existing and relevant research papers on ECM security. Secondly, it is important to reflect on how the ECM architecture and content management systems are different from other information systems. As an ECM system may handle both structured and unstructured data, there are a wide range of potential security issues. ECM systems provide business related benefits such as accessibility, scalability, proper document management, better workflow management. On the other hand, ECM systems are also vulnerable to security threats aimed against those organizations and their documents. The literature review for this paper also covers the different types of security attacks and some of the preventative measures. 2. Introduction ECM (Enterprise Content Management) is a collaboration of different strategies and tools for an organization to create documents, manage the data, send and deliver the information, store the content and documents related to that companies need. Figure 1: ECM System

2 ECM P. 2 ECM helps to manage different types of information, whether structured or unstructured information. Structured information is information that has been processed within a system, e.g. relational databases, ordered data, sales and invoicing, accounting and human resources. Unstructured information can be used by humans as it is, e.g. images, office documents, print streams, graphics and drawings, web pages and contents, s and videos. Unstructured data is managed by ECM in an organization, wherever the relevant exists. ECM includes end-to-end management solutions for product evaluation, application development to maintenance, record management and web content. It also facilitates clients to handle paper and electronic records to decrease the cost. The security of organization data has always been crucial in a modern enterprise. Recently, this also applies to employees using mobile devices for work (Erturk, 2012), including companies that have bring-your-own-device (BYOD) arrangements. ECM systems are utilized for storage and distribute the digital content. These digital contents have different sorts of documents. They are linked with organizational operations and can be vital to the business. ECM systems consist of different modules, each of these modules has focus on different tasks and own purpose. ECM systems are designed to archive and control correspondence of documents within organization. They might be used to store documents and these can be accessed by others at the other side of the world. This helps employees to communicate with other companies and it also helps to align business processes, because cooperation is made easier or automated. ECM systems also helpful to provide secure electronic documents, within the system and can be determined who does or who does not have access or certain privileges. 3. Body 3.1 Literature review: Nick Peterman s paper on Threat Modeling of Enterprise Content Management systems focuses specifically on security and threats in ECM systems. This research has, however, especially concentrated on the implementation and the functionality of existing organizations. It shows that threats or vulnerabilities within ECM systems have been largely ignored in research papers to date. A literature review will be identified in order to give background knowledge about ECM systems and security issues, as these will be important factors. In this paper an important aspect is security within the ECM, there must be secure document management. Organizations preferred to store their documents securely and access information for a particular time of periods. Security within ECM is divided into three different areas; people, processes and documents. Each of these areas presents a threat to the organization and its integrity. In every company some employees authorized to access the data, but some are not. So if such confidential documents will leak and people can change the contents of the documents, the company may face heavy loss. So issues related to the document security in this paper are: Document integrity, Document origin authentication, Document privacy, Document destination authentication, and secure remote document management. In this paper, it is proposed that, securing documents can be attained in many different ways such as; authentication using a password, biometrics fingerprints or digital signatures and watermarking on the papers.

3 ECM P. 3 Methodology: Furthermore, in this paper the threats were divided into three categories: Confidentiality, Integrity and Availability. The methodology used for the research is interviewing three experts on the field of ECM or security. These interview results shows a total of 73 attacks were classified. Out of these 64 attacks are considered as a medium threat and the rest of the 9 attacks are high threats. In Confidentiality Attack Tree 8.33% have high threats. The Availability Attack Tree has (17%), 5 out of 29 rated as a high attack. Finally the Integrity Attack Tree has only (10%), 2 out of 20 attacks are placed as high threats. Trend Micro s white paper regarding Microsoft SharePoint Use Models and Security Risks represents that Microsoft SharePoint has two components; WSS 4.0 (Microsoft Windows SharePoint Services) and MOSS (Microsoft SharePoint Server), which includes libraries, services, repository and interfaces. These characteristics are more beneficial for an establishment such as improved communication, more cost effective by cutting travel expenses and increased speed. However, with these new features there are new security issues. As compared to previous SharePoint security risks, modern threats are more malicious and harmful. They are sophisticated enough to make a security breach into the system. Many attacks such as a Zero - day attack, SQL injection, Cross-site Scripting, phishing and other malicious codes automatically inflate into the victim s system and easily fetch the vital information. According to SANS, Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits. On the other hand, employees can use SharePoint anywhere, anytime which increase more chances of vulnerability. Moreover, SharePoint is not only used by the employees, authorized clients can also use it by online access which may harm the system by virus or malware. Figure 2: SharePoint The image above represents two organizational risk models. As employees use SharePoint services within an enterprise, there is less probability of security breach. But, if SharePoint services are used by non-employees or are accessed from outside the internal office network, there will be more security attacks against the organization.

4 ECM P. 4 Figure 3: Common use models and related risks TITUS (2012) shows five security challenges in SharePoint and their solutions. First problem is security issues in organization s multiple partners. Some enterprises need to work with other organizations. So while working with other partners, one must exchange its information and this information could be contract, engineering diagrams or product specification. Therefore, organization wants to limit the information to the specific partners. Therefore, configuring lots of permissions are a bit complicated and time consuming. In order to deal with this complexity, automation can be used as a technique. Administrators do not need to give permissions manually every time new information is added to SharePoint. Automatically, appropriate permission can be given to that user. The second point is to secure the corporate records that are necessary for compliance. Managing the records can be confusing in SharePoint. Sensitive content might be considered as a record. While using the Record Center Site and a sensitive document with limited permissions it might be automatically moved to the Record Center without its permission. For this record, the business manager and system administrators should not be required to add permissions manually. Permissions can be automatically added to documents or items. Security in TITUS Suite for SharePoint increase Microsoft SharePoint security by applying access control policies and promoting strong data governance of your SharePoint content. A report published by M-files (2013) summarizes the elements driving ECM in general: improving productivity and efficiency, and operational cost reduction. Loss of data and security breaches are then mentioned as possible risks. As per AIIM s ECM Survey in 2011, drivers are associated with increasing efficiencies and optimizing processes, reducing costs, and improving compliance.

5 ECM P. 5 Figure 4: Factors driving ECM Improving efficiency and productivity within an organization is the primary goal. On the other hand, security intrusion detection involving sensitive content may come from anywhere in an organization. Because of its stealth nature, security attacks are hard to detect without proper investigation. As per this study, 31% of the data breaches were just due to malicious attacks. 4. Discussion Enterprise content management (ECM) provides a platform to organizations for their unstructured content, and delivers this information in a proper format to different enterprise applications. By this technology, we can efficiently build better applications, integrate hundreds of content services and reuse contents with other applications. ECM helps to share content effectively, decrease costs, better risk management, automate processes, minimize the number of lost documents and reduce resource bottlenecks. There are a number of benefits to implementing ECM technology because ECM systems help organizations control access to their content, and maintain records, histories and policies. ECM also helps to minimize the security risk and better content sharing between different organizations. ECM helps to deliver the right information to the right people at the right time. ECM permissions work automatically which improve the communication and helps to create a strong relationship and services in a secure environment. Moreover, reuse and share contents across the different organizations helps to improve the effectiveness and reduce printing cost, shipping as well as storage costs. However, still ECM have security breaches such as; in a company employees who work with the system may steal the information and leak that information to other organizations or they can try to alter the documents. Second, employees may execute processes which they are not authorized to use it. So it is essential to protect such information and manage proper credentials between individuals. Finally, in ECM system Document security have different levels of protections like; read or write permission, change or delete permission and substitute, render or transfer permission. So preventing sensitive information in a content management system from hackers is quite difficult but there are some guidelines by which we can reduce the security breaches.

6 ECM P Conclusion In this paper, Enterprise Content Management system s benefits and security breaches are discussed. ECM Provides a more effective way for content management which is cost effective too. But several threats and vulnerability attacks were detected in ECM systems. Moreover, ECM systems are still used for storage, communication with other enterprises and distribute the digital content among them. ECM systems also helpful to provide secure electronic document transaction, within the system. However, still ECM has security issues like; data leakage in a company with employees who work with the system. ECM also has security issues from hackers which try to exploit the information of the company. There are many different attacks and vulnerabilities which are still an issue in an Enterprises Content Management. 6. References Erturk, E. (2012). Two Trends in Mobile Malware: Financial Motives and Transitioning from Static to Dynamic Analysis. International Journal of Intelligent Computing Research (IJICR), Volume 3(3/4), Peterman, N. (2009). Threat modeling of Enterprise Content Management Systems (Master thesis, Vrije Universiteit Amsterdam, Amsterdam, Netherlands). Retrieved from &location=thesisnickpeterman_ _v1.pdf ae81a690392cbcb212b03788e1.pdf M-files. (2013). The Business Case for Enterprise Content Management A Collection of Enterprise Content Management (ECM) and Document Management Research Data. Retrieved from Trend Micro. (2010). Microsoft SharePoint Use Models and Security Risks Retrieved from TITUS. (2012). Five Security Challenges in SharePoint and How to Solve Them. Retrieved from How_to_Solve_them.pdf