The term data leak is something of a euphemism. Comparing data loss to the kinds of leaks that occur with plumbing captures the idea of a potentially slow but persistent loss, but it misses the potential role of human actions. The focus in this third and final article in this series focuses on the role of malicious and unintentional user activities in data loss and its prevention.
Companies and other organizations can lose data because authorized users intentionally copy or capture data with the intent of using it in ways they are not authorized to do so. These organizations can also lose data because of mistakes, oversights, and other unintentional acts that leave information vulnerable to theft or tampering. The two types of user‐related data loss are so different, they warrant separate discussions.
Web application users are granted access to data because they need that access to perform their jobs. Ideally, your authorization schemes are designed to grant all access that is needed to perform a task but not more than that. Even when minimal access rights are granted, you can see there are still many cases where you have to trust employees or business partners to not misuse the data that they can access. Consider examples of confidential or sensitive information that must be available to a wide range of employees:
This list is not meant to imply that any group of employees is untrustworthy; it is designed to show the breadth of opportunity available to employees who are motivated to commit information theft. Many current security controls still provide the opportunity for a crime when the motivation is there.
Stealing information from an employer is not a new story. What is a more contemporary phenomenon is stealing intangible assets. As more and more company value is based on such assets, it is not surprising that thieves would turn their attention to them. Prime targets include:
A disgruntled salesperson leaving one company to work for a competitor might decide to impress his new employer by bringing detailed information about potential new clients. This may not be difficult at all. While the employee is traveling for business, he uses a computer in a hotel business center to access a company Web application. He runs a report listing customers and sales activity in his region. The employee knows that if he runs the print command in the application, the application will record that action in the audit log. Instead, he simply uses a series of screen shots that he pastes to a file and emails it using his personal email. The data is effectively stolen without an electronic trace because the Web application could not control or even monitor activities on the unmanaged client device. Web applications can limit what data a user sees but not how that data is used. Information theft is not the only threat that a disgruntled employee poses.
Not all disgruntled employees want to steal from their employers. Some just might want revenge for a perceived injustice they suffered. In that case, information sabotage is a risk.
Building on the previous examples, consider the types of data at risk:
Both information theft and information sabotage can occur when Web applications do not sufficiently control user actions on the client browser. Another type of data loss risk stems from human error.
We all make mistakes. Sometimes those mistakes can result in a loss of private or confidential data. Web applications are complex, and average users understandably don't know the details of their application's implementation. For example:
Figure 1:. Web browsers are subject to a variety of data loss threats.
Even situations that many IT professionals would recognize as potential data leaks, an average user may not. Consider a CFO traveling offsite for a corporate meeting. As soon as she lands, she realizes she has run down her laptop battery. On her way out of the airport, she stops in at an airline lounge and uses a computer the airline provides for its members. She logs into her corporate email account and opens spreadsheets with the latest financial reports. This may seem like reasonable behavior to most users, but there are significant risks:
As you can see from these scenarios, there is no shortage of ways data loss or information tampering can occur. Both intentional and unintentional user actions pose a risk to protecting the confidentiality and integrity of sensitive information.
Businesses are not at the mercy of employees, business partners, and publicly shared devices around the globe. There are ways to mitigate the threats associated with user actions:
All of these mitigating strategies can be implemented using on‐demand browser‐based security controls.
An earlier example illustrated how a disgruntled or malicious employee could avoid Web application monitoring and control by using a client function such as the print screen feature. When accessing sensitive data, Web application users should be prevented from copying, pasting, printing, or saving such sensitive data to local files. By default, browsers do not do so. Web applications can be designed to download a session‐based security mechanism to client devices before starting the Web application client. It is through these on‐demand controls that features can be blocked while the Web application is running. Of course, when the session ends, the on‐demand security controls are removed, and client functionality is restored.
In addition to blocking operations related to copying sensitive data, it is important to log activities in a browser running a Web application. If the history of computer security has taught us anything, it is that it is difficult to anticipate all the ways a determined attacker can compromise an application. Logging events may not immediately prevent a malicious activity but could prove crucial to identifying such an event and containing the damage as soon as possible.
Another control that can be implemented with on‐demand browser‐based security controls is blocking access to threatening sites. In the past, you could be reasonably confident that avoiding illegal music download sites, pirate sharing sites, and other questionable sites was sufficient to avoid Web‐based malware. Those days are gone. Now even legitimate sites can be hacked, resulting in the sites hosting malicious code without the knowledge of Web administrators at those sites.
It is so difficult to know whether a Web site may be compromised (for example, if it is suffering from cross‐site scripting attacks) that it is reasonable to enforce a "no browsing" policy while Web applications are open and working with sensitive information. This setup can be implemented by blocking access to all domains other than the one hosting the Web application and perhaps other known and trusted Web sites, such as those run by subsidiaries or business partners.
Hoping client devices are secure is not a reasonable strategy. In fact, a more conservative assessment is more reasonable: Assume they are insecure. With that assumption, you need to deploy on‐demand browser security controls that can control user actions and block access to potentially threatening Web sites.
You might trust most of your users, but even the best‐intentioned employees can make mistakes or do things that undermine the confidentiality of sensitive information. Ondemand security is essential to mitigating the risks associated with both malicious and unintentional acts.
The Web browser continues to be a weak point in Web application security. Malicious users can take advantages of Web applications to access to a wide array of data that may be valuable to third parties. Users can unintentionally leave valuable information subject to theft. Web application designers now have options for mitigating data loss risks in the browser. By deploying on‐demand browser‐based security controls, Web application developers can start to exercise comparable controls at the browser that they now have at the server.