Information Security for Modern Enterprises



Similar documents
WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

PCI Data Security Standards (DSS)

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Readiness Assessments: Vital to Secure Mobility

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Where every interaction matters.

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

05.0 Application Development

Protecting Your Organisation from Targeted Cyber Intrusion

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

Passing PCI Compliance How to Address the Application Security Mandates

IBM Protocol Analysis Module

Internet threats: steps to security for your small business

Assuring Application Security: Deploying Code that Keeps Data Safe

ITAR Compliance Best Practices Guide

A SURVEY OF CLOUD COMPUTING: NETWORK BASED ISSUES PERFORMANCE AND ANALYSIS

Rational AppScan & Ounce Products

SecurityMetrics Vision whitepaper

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Securing Virtual Applications and Servers

Technical Proposition. Security

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

For instance, consider a customer order process. Documents such as orders can originate from paper

ICTN Enterprise Database Security Issues and Solutions

BRING YOUR OWN DEVICE (BYOD) AND MOBILE DEVICE MANAGEMENT

Enterprise Content Management with Microsoft SharePoint

IBM Security Strategy

The Key to Secure Online Financial Transactions

Brochure Achieving security with cloud data protection. Autonomy LiveVault

The Top Web Application Attacks: Are you vulnerable?

ELO for SharePoint. More functionality for greater effectiveness. ELO ECM for Microsoft SharePoint 2013

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Web Application Report

Pass-the-Hash. Solution Brief

Threat modeling of Enterprise Content Management Systems

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

PROTECTION FOR SERVERS, WORKSTATIONS AND TERMINALS ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

The Prevalence of Flash Vulnerabilities on the Web

Recommended Practice Case Study: Cross-Site Scripting. February 2007

AB 1149 Compliance: Data Security Best Practices

Session 11 : (additional) Cloud Computing Advantages and Disadvantages

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

1 Executive Summary Document Structure Business Context... 5

Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence

Guideline on Auditing and Log Management

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

next generation privilege identity management

10 Smart Ideas for. Keeping Data Safe. From Hackers

How To Manage Web Content Management System (Wcm)

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Injazat s Managed Services Portfolio

Protect Your Business and Customers from Online Fraud

Table of Contents. Page 2/13

Website Security: How to Avoid a Website Breach. Jeff Bell, CISSP, CPHIMS, ACHE Director, IT Security and Risk Services CareTech Solutions

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

The Pension Portal. Helping you take your pension business into the paperless age

NATIONAL CYBER SECURITY AWARENESS MONTH

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

IJMIE Volume 2, Issue 9 ISSN:

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

WHITE PAPER Usher Mobile Identity Platform

How To Manage Security On A Networked Computer System

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

5 Simple Steps to Secure Database Development

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

DETAILED RISK ASSESSMENT REPORT

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Web Security School Final Exam

2012 Data Breach Investigations Report

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

plantemoran.com What School Personnel Administrators Need to know

Basics of Internet Security

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Wireless Network Security

Protecting the Extended Enterprise Network Security Strategies and Solutions from ProCurve Networking

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

Bitrix Software Security. Powerful content management with advanced security features

Transcription:

Information Security for Modern Enterprises Kamal Jyoti 1. Abstract Many enterprises are using Enterprise Content Management (ECM) systems, in order to manage sensitive information related to the organization. This information needs to be protected from unauthorized users. The purpose of this research report is to investigate some of the security challenges faced by small and medium enterprises (SMEs). The first part of this research consists of identifying existing and relevant research papers on ECM security. Secondly, it is important to reflect on how the ECM architecture and content management systems are different from other information systems. As an ECM system may handle both structured and unstructured data, there are a wide range of potential security issues. ECM systems provide business related benefits such as accessibility, scalability, proper document management, better workflow management. On the other hand, ECM systems are also vulnerable to security threats aimed against those organizations and their documents. The literature review for this paper also covers the different types of security attacks and some of the preventative measures. 2. Introduction ECM (Enterprise Content Management) is a collaboration of different strategies and tools for an organization to create documents, manage the data, send and deliver the information, store the content and documents related to that companies need. Figure 1: ECM System

ECM P. 2 ECM helps to manage different types of information, whether structured or unstructured information. Structured information is information that has been processed within a system, e.g. relational databases, ordered data, sales and invoicing, accounting and human resources. Unstructured information can be used by humans as it is, e.g. images, office documents, print streams, graphics and drawings, web pages and contents, emails and videos. Unstructured data is managed by ECM in an organization, wherever the relevant exists. ECM includes end-to-end management solutions for product evaluation, application development to maintenance, record management and web content. It also facilitates clients to handle paper and electronic records to decrease the cost. The security of organization data has always been crucial in a modern enterprise. Recently, this also applies to employees using mobile devices for work (Erturk, 2012), including companies that have bring-your-own-device (BYOD) arrangements. ECM systems are utilized for storage and distribute the digital content. These digital contents have different sorts of documents. They are linked with organizational operations and can be vital to the business. ECM systems consist of different modules, each of these modules has focus on different tasks and own purpose. ECM systems are designed to archive and control correspondence of documents within organization. They might be used to store documents and these can be accessed by others at the other side of the world. This helps employees to communicate with other companies and it also helps to align business processes, because cooperation is made easier or automated. ECM systems also helpful to provide secure electronic documents, within the system and can be determined who does or who does not have access or certain privileges. 3. Body 3.1 Literature review: Nick Peterman s paper on Threat Modeling of Enterprise Content Management systems focuses specifically on security and threats in ECM systems. This research has, however, especially concentrated on the implementation and the functionality of existing organizations. It shows that threats or vulnerabilities within ECM systems have been largely ignored in research papers to date. A literature review will be identified in order to give background knowledge about ECM systems and security issues, as these will be important factors. In this paper an important aspect is security within the ECM, there must be secure document management. Organizations preferred to store their documents securely and access information for a particular time of periods. Security within ECM is divided into three different areas; people, processes and documents. Each of these areas presents a threat to the organization and its integrity. In every company some employees authorized to access the data, but some are not. So if such confidential documents will leak and people can change the contents of the documents, the company may face heavy loss. So issues related to the document security in this paper are: Document integrity, Document origin authentication, Document privacy, Document destination authentication, and secure remote document management. In this paper, it is proposed that, securing documents can be attained in many different ways such as; authentication using a password, biometrics fingerprints or digital signatures and watermarking on the papers.

ECM P. 3 Methodology: Furthermore, in this paper the threats were divided into three categories: Confidentiality, Integrity and Availability. The methodology used for the research is interviewing three experts on the field of ECM or security. These interview results shows a total of 73 attacks were classified. Out of these 64 attacks are considered as a medium threat and the rest of the 9 attacks are high threats. In Confidentiality Attack Tree 8.33% have high threats. The Availability Attack Tree has (17%), 5 out of 29 rated as a high attack. Finally the Integrity Attack Tree has only (10%), 2 out of 20 attacks are placed as high threats. Trend Micro s white paper regarding Microsoft SharePoint Use Models and Security Risks represents that Microsoft SharePoint has two components; WSS 4.0 (Microsoft Windows SharePoint Services) and MOSS (Microsoft SharePoint Server), which includes libraries, services, repository and interfaces. These characteristics are more beneficial for an establishment such as improved communication, more cost effective by cutting travel expenses and increased speed. However, with these new features there are new security issues. As compared to previous SharePoint security risks, modern threats are more malicious and harmful. They are sophisticated enough to make a security breach into the system. Many attacks such as a Zero - day attack, SQL injection, Cross-site Scripting, phishing and other malicious codes automatically inflate into the victim s system and easily fetch the vital information. According to SANS, Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits. On the other hand, employees can use SharePoint anywhere, anytime which increase more chances of vulnerability. Moreover, SharePoint is not only used by the employees, authorized clients can also use it by online access which may harm the system by virus or malware. Figure 2: SharePoint The image above represents two organizational risk models. As employees use SharePoint services within an enterprise, there is less probability of security breach. But, if SharePoint services are used by non-employees or are accessed from outside the internal office network, there will be more security attacks against the organization.

ECM P. 4 Figure 3: Common use models and related risks TITUS (2012) shows five security challenges in SharePoint and their solutions. First problem is security issues in organization s multiple partners. Some enterprises need to work with other organizations. So while working with other partners, one must exchange its information and this information could be contract, engineering diagrams or product specification. Therefore, organization wants to limit the information to the specific partners. Therefore, configuring lots of permissions are a bit complicated and time consuming. In order to deal with this complexity, automation can be used as a technique. Administrators do not need to give permissions manually every time new information is added to SharePoint. Automatically, appropriate permission can be given to that user. The second point is to secure the corporate records that are necessary for compliance. Managing the records can be confusing in SharePoint. Sensitive content might be considered as a record. While using the Record Center Site and a sensitive document with limited permissions it might be automatically moved to the Record Center without its permission. For this record, the business manager and system administrators should not be required to add permissions manually. Permissions can be automatically added to documents or items. Security in TITUS Suite for SharePoint increase Microsoft SharePoint security by applying access control policies and promoting strong data governance of your SharePoint content. A report published by M-files (2013) summarizes the elements driving ECM in general: improving productivity and efficiency, and operational cost reduction. Loss of data and security breaches are then mentioned as possible risks. As per AIIM s ECM Survey in 2011, drivers are associated with increasing efficiencies and optimizing processes, reducing costs, and improving compliance.

ECM P. 5 Figure 4: Factors driving ECM Improving efficiency and productivity within an organization is the primary goal. On the other hand, security intrusion detection involving sensitive content may come from anywhere in an organization. Because of its stealth nature, security attacks are hard to detect without proper investigation. As per this study, 31% of the data breaches were just due to malicious attacks. 4. Discussion Enterprise content management (ECM) provides a platform to organizations for their unstructured content, and delivers this information in a proper format to different enterprise applications. By this technology, we can efficiently build better applications, integrate hundreds of content services and reuse contents with other applications. ECM helps to share content effectively, decrease costs, better risk management, automate processes, minimize the number of lost documents and reduce resource bottlenecks. There are a number of benefits to implementing ECM technology because ECM systems help organizations control access to their content, and maintain records, histories and policies. ECM also helps to minimize the security risk and better content sharing between different organizations. ECM helps to deliver the right information to the right people at the right time. ECM permissions work automatically which improve the communication and helps to create a strong relationship and services in a secure environment. Moreover, reuse and share contents across the different organizations helps to improve the effectiveness and reduce printing cost, shipping as well as storage costs. However, still ECM have security breaches such as; in a company employees who work with the system may steal the information and leak that information to other organizations or they can try to alter the documents. Second, employees may execute processes which they are not authorized to use it. So it is essential to protect such information and manage proper credentials between individuals. Finally, in ECM system Document security have different levels of protections like; read or write permission, change or delete permission and substitute, render or transfer permission. So preventing sensitive information in a content management system from hackers is quite difficult but there are some guidelines by which we can reduce the security breaches.

ECM P. 6 5. Conclusion In this paper, Enterprise Content Management system s benefits and security breaches are discussed. ECM Provides a more effective way for content management which is cost effective too. But several threats and vulnerability attacks were detected in ECM systems. Moreover, ECM systems are still used for storage, communication with other enterprises and distribute the digital content among them. ECM systems also helpful to provide secure electronic document transaction, within the system. However, still ECM has security issues like; data leakage in a company with employees who work with the system. ECM also has security issues from hackers which try to exploit the information of the company. There are many different attacks and vulnerabilities which are still an issue in an Enterprises Content Management. 6. References Erturk, E. (2012). Two Trends in Mobile Malware: Financial Motives and Transitioning from Static to Dynamic Analysis. International Journal of Intelligent Computing Research (IJICR), Volume 3(3/4), 325-329. Peterman, N. (2009). Threat modeling of Enterprise Content Management Systems (Master thesis, Vrije Universiteit Amsterdam, Amsterdam, Netherlands). Retrieved from http://www.iids.org/aigaion/indexempty.php?page=actionattachment&action=open&pub_id=296 &location=thesisnickpeterman_1543490_v1.pdf-234384ae81a690392cbcb212b03788e1.pdf M-files. (2013). The Business Case for Enterprise Content Management A Collection of Enterprise Content Management (ECM) and Document Management Research Data. Retrieved from http://www.m-files.com/content/documents/en/res/ecm_stats_white_paper.pdf Trend Micro. (2010). Microsoft SharePoint Use Models and Security Risks Retrieved from http://www.trendmicro.co.nz/cloud-content/us/pdfs/business/white-papers/wp_microsoftsharepoint-use-models-and-security-risks.pdf TITUS. (2012). Five Security Challenges in SharePoint and How to Solve Them. Retrieved from http://www.titus.com/resources/marketo/web_sp_wp_five_security_challenges_sharepoint_ How_to_Solve_them.pdf

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information