SP-019: Secure Ad-Hoc File Exchange Pattern
Legend: Secure Information (i.e. File) exchange pattern particularly for ad-hoc business driven scenarios
Description: Two parties (for example a supplier and his customer) want to exchange confidential files. They are both connected over internet but have no pre-established common IT infrastructure, therefore the sharing needs to be ad-hoc enabled.
We describe here a pattern that supports a scenario where only business users interact in the file exchange workflow. Neither an approval/setup process, nor trust-accreditation processes shall be required. Business users should therefore be able to help themselves and activate the sharing with as little as 2 or 3 steps.
Technical Design Considerations:
The size of the data to be shared has to be considered. If the size is too big (e.g. several gigabytes) then an introduction of storage and bandwidth quota needs to be considered to minimize impact on other users.
To keep the technical solution setup as simple as possible, a single “secure-data-sharing” application would be preferred. Such solutions can either be hosted in the corporate data centre or could be acquired as Software as a Service.
Assumptions: As it has to be assumed that the data that is shared can be classified as confidential, strong encryption is required by most corporate security policies. Data on the move as well as data at rest should therefore be encrypted, and access control policies probably declare the “Need to know principal”. In an ad-hoc scenario it is unlikely that digital rights management solutions (with water marking, and copy prevention) would be required. However integrity assurance on a technical level (for example with hash-value comparison before and after transmission) can be added.
Indications:The discussed pattern matches best if the following indicators can be found:
- Business driven: business decides ad-hoc when and where the solution is required/used
- Simplified user interface, allows also staff members with low IT affinity to use the solution
- Low integration costs
- Identity federation with partner is not established
- Business unit is data owner, IT does not act as data owner custodian, business unit staff members can decide who needs access, when and where
- Audit trail needs to be available
- Strong authentication for example with second authentication factor (after uid/pw) that is transmitted over SMS is likely to be required for sensitive data.
Contra-indications:Strong integration into document management workflow requires a single repository for internal and external collaboration. Real-time collaboration requirements would suggest a solution that includes collaborative editing and in-band update notification.
Mitigated threats: The following threats/risks have to be taken into account when implementing this pattern:
- Loss of business opportunities due to delays in IT-Setup. Mitigation: Ad-hoc sharing allows business users to decide instantaneously which documents are shared with whom
- Irrational risk acceptance to save setup costs. Mitigation: To avoid the syndrome where business managers take the risk to violate regulations and expose their data inadvertently to confidentiality violations, it is important to offer solutions that are quick to setup and do not raise setup-project costs. A pay-as-you-go SaaS setup mitigates this risk.
- Intentional abuse by business staff members to bring confidential data off-site. Mitigation: Make business staff members aware that all transfers are logged in audit trail
Residual risks that are not mitigated: Scenarios where documents that are bound into a complex sign-off and processing workflow, are typically not well served with an ad-hoc setup.
Related Business Process Considerations: The business processes that involve sharing of confidential data, will need to address the following issues:
- Data classification: the person that shares the data needs to be aware of the data classification and the associated duty to take care.
- Data ownership: the person that shares the data needs to own the data or at least be the custodian of the data
- Partner identification: the person that shares the data needs to be able to identify the partner securely
Related Regulations: What regulations are relevant?
- Data location, local regulations that require that certain type of data do not leave local jurisdiction
- Data classification, local regulations that require that confidential data is marked as such
- Data leakage protection, local regulations that require data leakage protection measures
References: To be added. List of references e.g. URL's, publications that can give more information or have informed the approach.
Related patterns: TBD
Classification: File Exchange
Release: 08.02 (Last update 27th April 2010)
Author(s): Tobias Christen
pattern was created based on the working group results of the SGRP and the Information Security Society Switzerland
Reviewer(s): Patrick Greuter, Russell Wing
AC-02 Account Management
AC-07 Unsuccessful Login Attempts
AC-10 Concurrent Session Control
AC-12 Session Termination
AC-20 Use of External Information Systems
AT-02 Security Awareness
AT-03 Security Training
AT-05 Contacts With Security Groups And..
AU-04 Auditable Events
AU-06 Audit Monitoring, Analysis, And Reporting
CA-02 Security Assessments
CA-03 Information System Connections
CP-02 Contingency Plan
CM-03 Configuration Change Control
CP-09 Information System Backup
IA-04 Identifier Management
IR-04 Incident Handling
IR-07 Incident Response Assistance
MA-02 Controlled Maintenance
MA-06 Timley Maintenance
RA-03 Risk Assessment
RA-05 Vulnerability Scanning
SC-07 Boundary Protection
SC-09 Transmission Confidentiality
SC-13 Use Of Cryptography