Networking

Lock IT Down: Questions to ask when determining the right security approach

Helps CIOs determine the appropriate file-sharing security solution by asking a few important questions about their needs and security requirements


Determining the appropriate file-sharing security solution is directly tied to an enterprise’s needs, technology hooks, and file-sharing policy. As I explained in my first article on this topic, "Enterprise solutions for securing collaboration," there are plenty of different solutions to choose from. The tough part is figuring out which one will fulfill your company's needs.

To help narrow the list, CIOs need to answer the following questions:
  1. What exactly do users need access to: e-mail, files, folders, drivers, applications, devices, or all of these?
  2. Who needs access: in-house employees, road warriors, telecommuters, business partners, or customers?
  3. What level of security is really needed: simple access control using password and ID, user authentication, or plain encryption?

Collaboration security series
This is the second of a two-part series focusing on choosing the appropriate approach to secure file sharing in today’s enterprises. This promises to be a continuing issue for tech leaders, so TechRepublic invites you to e-mail us with your input on what solutions CIOs are using today and the obstacles you’ve overcome in choosing the right solution for your company.

Security should fit users' requirements
After answering the questions I listed above, CIOs also need to investigate how people work—how they collaborate electronically—to pick the best solution for secure file sharing.

For instance, Roger Becker, CIO of an Arizona plastics and chemical manufacturing company, settled on a solution after much infighting among his staff over the best way to meet users’ security needs.

A company board member had raised concerns about the haphazard way critical business documents were circulated between officers and the board of directors. The board member’s concern was two-fold. First, since board members were not company employees, and thus were not on the corporate mail system, documents were sent to them using common Internet mail. While some members had corporate accounts within other companies, others had simple home AOL or MSN accounts.

The other concern was the company’s legal liabilities if the shared documents ended up in the wrong hands.

Becker’s first inclination was to link the board members to the company's e-mail via a VPN. But after reviewing VPN implementation and functionality, he decided a VPN provided much more functionality than what was required.

A second thought was to simply add the board members to the corporate mail system. "After thinking about it for a day, I decided that while it would solve one problem, it would cause others,” Becker said. “We use [Lotus] Notes, and we’d have to install and configure our mail client on each board member's PC and give them either VPN or direct-dial access to our mail servers."

This scenario, he explained, was not viable, as most board members did not want software installed on their machines.

“We decided that all we really needed was a way to encrypt documents so we could send them using any type of Internet mail account and be assured of some level of confidentiality,” said Becker.

Sometimes, simple encryption is the solution
Becker chose the freeware package Pretty Good Privacy (PGP) for several reasons. First, there are versions for virtually all operating systems. Second, it is widely used, and it has “quite good documentation,” said Becker.

With PGP Freeware, users need to download software and generate a pair of encryption keys, which consist of a public key and a private key. The file sender uses the intended recipient’s public key to perform the file encryption. Upon receiving the file, the recipient uses his or her private key to decrypt the file.

One challenge with this type of technology is in distributing public key information to users. It can be done in several ways, including faxing or e-mailing the key or posting it to a Web site for all to download. There are several public key servers to choose from, such as http://pgpkeys.mit.edu:11371.

PGP can be used manually when, for example, a user encrypts a file and then attaches the encrypted file to an e-mail message. But much of the process can be automated. PGP Freeware offers integrated plug-ins for sending secure e-mail via e-mail programs, including Outlook, Outlook Express, Qualcomm Eudora, and Claris Emailer.

PGP Freeware supports 1,024-bit key lengths and can be downloaded from many sites, including http://web.mit.edu/network/pgp.html. Commercial versions of this type of product are available from McAfee.com Corp., based in Sunnyvale, CA. Commercial solutions support additional encryption technologies and algorithms, including triple DES symmetric encryption and support for keys of up to 4,096 bits.

Encrypt and control documents
Another secure file-sharing approach is combining encryption with e-mail and controlling document use once a user receives the file.

Authentica Inc, based in Waltham, MA, provides services that allow senders to share e-mail and documents online and then control recipient access and use. For instance, senders can prevent recipients from printing, saving, copying, or forwarding the information. Users can also set time limits for access to the document and easily pull back a mail message or document if it is sent erroneously. You can try Authentica’s service for free by visiting its site.

The challenge for CIOs
The products and services discussed in this two-part series on secure file sharing represent just the tip of the iceberg when it comes to solutions and possible approaches. What works for one enterprise often isn’t an easy fit for another, as users’ needs and the enterprise's security concerns are often very different. The challenge CIOs face is finding a cost-effective method that fits their users’ particular needs.

Editor's Picks