Michael Sampson is going all out to talk to companies about what the threat surface is for collaboration platforms. His research will prove to be interesting.
I'm most concerned about the combination of on-premise with off-premise tools when blended with SaaS offerings (try saying that after six Wodka's).
So take this example: Let's say you use a collaboration tool like MS SharePoint. You've got an on-premise installation that you use for more senstive documents , say M&A. The off-premise tool (perhaps hosted by Microsoft themselves) is for collaboration with external third parties - could be suppliers / contractors or customers. You rig all of this up in a secure way. Registration for the external site requires two factor authentication, you might even use SAML to federate your directory with another company. Some of your internal document content is in multiple languages and you've had submissions in French and Chinese. Now you've got someone in Hungary who can understand French and they can handle a translation - but there's no-one who can understand Chinese. So the innocently use the publically available Google Translate service to do a quick translation of the document - cutting and pasting it into the web tool. The translation is done and the response comes back via their browser. When they read the English translation the document makes reference to 500 employees being laid off by the Chinese company in Hungary. Such information vould be damaging to thr company's brand and is particularly sensitive.
Where exactly has that information gone in its traverse of the Web to get translated? Over the Internet not encrypted for a start and then possibly still residing on Google's server somewhere [Google say on the website they have developed their own transation software http://www.google.com/intl/en/help/faq_translation.html#google] helping Google to make better translations. Hmmm.... maybe you're not too happy about that.
</Rant>
For me, the biggest security consideration is related to these public SaaS offerings that innocently get used by employees. They're so used to using them at home for their own purposes that there's an assumption they're ok to use for work. Google need to take better steps (and they are doign to be fair) to secure these services and let us know more about what they're doing with this data we pass to them. Afterall it can't get any worse than a conversation I had with Google's UK Sales Manager about 3 years ago when I asked him about compliance and using Google Enterprise Apps. "Compliance?" he responded. "Compliance is boring".
Posted via web from gazcoop
Hi Gary ... great example of a security problem with collaboration systems ... thanks for sharing it.
ReplyDeleteMichael Sampson