We've all received "those" emails. Something from HR containing staff salaries. Something from finance with customer bank account or credit card details.
You know it must be important because the emails are covered with warnings like; "CONFIDENTIAL!!!!; Do not forward this file!!!"; or "Contains sensitive staff information!"
They are always sent with the best of intentions,and generally for a very valid business reason. (You know the saying - "The road to hell is paved with good intentions".)
Every now and then, being known as someone in the security team, I get another kind of email. A cry for help. "I just forwarded the HR file to the wrong people!"; or "We just accidentally sent the customer finances file to the wrong Fred Blogs!".
And very occasionally, I get a third kind of email - "we think someone has leaked a confidential file to someone outside the organisation".
Most organisations like distributing data in files. Often via email, but also via a share drive or other mechanisms. Often the file is fairly innocuous and the data isn't too sensitive, but every now and then you run into a report that has data that really should be well protected at all times. Credit card numbers or staff salaries anyone?
It strikes me this is the Achilles heel of security. I spend my days working with teams and projects on how to ensure that system X has appropriate controls to protect data. We look at passwords, authorisation, records of access and all those other good things. We sign off on a well secured and configured systems and all is happiness.
And then someone generates a report from the system. Maybe directly from the database, maybe using some functionality in the system itself. The report is generated for all the right reasons. But it's emailed to everyone who needs it and the quite possibly stored in a few locations around the network. Control of that data just got much harder.
The best example I can think of is HR systems. They are generally well secured. As a staff member I log in and can see my salary or how much leave I have. Once I log out I can no longer see the data - it all stays within the confines of the system. But these systems also let you generate reports in files that you can download. And for someone in HR, the reports that can be generated and downloaded are often very comprehensive covering large groups of staff.
How do you control a report once it's downloaded to someone's PC? Anyone can copy it and send it around to whomever they desire. We may get logs from the email or file share systems, but it'll be after the fact. Data Leakage Protection (DLP) may prevent the data being sent places - but DLP is hard to configure to catch everything.
So what do we do? Getting people to think about the problem is a good start. A company that understands the value of its data will worry about those reports and minimise or at least protect them.
To that end, I like to ask projects what reports will be generated and how will they be secured. I see that as just as much a part of the overall system's security as any other control.
I also like to steer people away from generating files of data if I can. For example I love the apps that are being created to allow people to access the data they need from their phone or tablet. These apps provide an authenticated and controlled view into the data at the point of request.
If the app is well built it will only download the specific data required and then in a format that is hard to forward. As soon as the app is closed - the data is gone from the device. The best part is the end users love it - when they need the data the log in and see it. No searching for files everywhere!
So whether you're a developer, a system owner or an end user - think about the value of your data, and control where it's being sent. Question whether you really need to provide that reporting capability through files and if you can, find a better way.
Done right it will delight your users - and it might just stop a nasty surprise.