Design Pattern: Safely Exporting Data

This guide is divided into two main sections. The first focuses on the foundational techniques inherent in the architecture pattern. The second section delves into the specific design of an export solution, utilizing these techniques.

1. Techniques within the Safe Data Export Framework

The safe data-export framework comprises four fundamental techniques that work in cohesion to create an end-to-end export solution.

Regulating Information Release

Eliminating Hidden Data in Documents

Protecting Against Network Attacks

Securing Data for Recipients

2. Design and Administration of the Export Solution

Employing the safe data-export framework demands thoughtful design, construction, and ongoing monitoring of your export solution.

System Design

Overseeing and Managing an End-to-End Export System

Effective regulation of information release necessitates both suitable policy and technical measures. These should strike a balance between safeguarding sensitive information and facilitating efficient information sharing.

Risks to Address

Without appropriate controls for authorizing information release, users may inadvertently or deliberately export information meant solely for internal access.

Depending on the information’s nature, this oversight could result in reputational harm or financial loss, among other consequences.

Defensive Strategies

A well-defined release authorization policy is essential for determining which information assets are appropriate for external sharing.

Your policy should consider various factors, including:

• Information Type – Different data categories may hold varying significance for your organization.
• Source – Understanding where the information originated.
• Destination – Assessing the trustworthiness of the recipient’s IT system and their data handling practices, potentially necessitating an information sharing agreement.
• Requesting Entity – If the user (or automated system) is authenticated, their identity can factor into your release decision.
• Multiple Authorizations – Sometimes additional approvals may be required from a different employee, manager, or the information owner.
• Classification – Certain classifications might indicate that a document is too sensitive for release to a particular destination.
• Volume Limits – Exceeding expected release volumes could indicate a potential security breach.

Once your policy is established, you should determine how much to enforce technically versus relying on user behavior and oversight.

It may not be feasible to enforce every aspect of your policy using technology. In fact, overly stringent technical controls could inhibit legitimate business processes by blocking acceptable information sharing.

Practical Recommendations

1. Avoid Releasing Information to Incorrect Recipients

   Make it clear who the intended recipient is and which system they are using (corporate versus personal accounts).

2. Establish a Dual Authorization Process for Information Release

   Assess the feasibility of this during non-working hours, allowing users to release information autonomously while notifying their managers if necessary.

3. Implement Classification Markings

   Ensure robust training and tools are available to help users correctly label information requiring extra protection.

4. Automatic Information Release

   Develop a testing regime to verify that the system functions as intended, ensuring no accidental leaks occur.

5. Fine-tune Rate Limiting

   Consider user-specific rate limits for improved efficiency.

6. Balance Export Controls with Broader Risks

   Account for user capabilities such as printing, taking photographs, and copy-pasting, as excessive export restrictions can lead to the rise of ‘shadow IT,’ jeopardizing governance and control.

Modern file formats are intricate, often containing numerous hidden fields and variables. Consequently, users risk unintentionally disclosing sensitive information that is not immediately visible.

Risks to Manage

Documents exported from a network may retain additional information that is not apparent to the user, including sensitive business data. For example, an Office document could contain tracked changes, comments, or author details. The inadvertent release of such hidden data could lead to severe data breaches.

Defensive Techniques

To prevent this type of data exposure, it is necessary to eliminate hidden information before sending documents beyond your organizational boundaries.

Two methods for achieving this include:

• Sanitization – Inspecting documents and removing concealed information.
• Format Transformation – Converting documents to different file types may eliminate hidden information, especially when using print-friendly formats that discard tracking changes and undo history.

Be aware that users may require certain functionalities (e.g., tracked changes or comments) when sharing documents. Therefore, optional controls that permit retaining such features should be considered.

Providing comprehensive user training is crucial for making informed decisions while prioritizing security. Users should also have the opportunity to preview converted documents before sending to ensure that the conversion does not alter the document’s meaning or format.

Effectively controlling information release involves implementing suitable policies and technical measures. Potential attacks could originate from either external systems or as command and control for malware within the organizational framework.

Risks to Manage

An export solution’s requirement for end-to-end network connectivity renders it a viable target for network-based attacks.

Two potential attack vectors using the export channel include:

1. Exploiting the export channel to facilitate initial compromise.
2. Using the export channel to steal data or as a command control pathway once the network is compromised by other vulnerabilities.

Defensive Techniques

The following strategies can mitigate network attack risks:

• Flow Control – Employing data diodes allows only one-way communication through the export solution, preventing external attackers from utilizing the channel for malware-related communication.
• Release Control – Connecting release authorization processes with the export channel to protect against unauthorized access, often implemented with channel authentication or digital signatures for each object.
• Proof of Human Control – Ensuring the export request originates from a human rather than malware, possibly verified through a code input from a TOTP token.

Detecting Concealed Data

Identifying data that malware may conceal within a legitimate export can be exceptionally challenging, as there are numerous subtle encoding methods.

When deploying an export solution, it’s important to recognize the inherent risk of malware present within your system potentially hiding data within legitimate exports. This concern is distinct from the accidental inclusion of hidden data discussed earlier.

Encryption plays a vital role in ensuring the data being exported is safeguarded until it reaches its intended recipient.

Risks to Manage

If data released from a system lacks encryption, unauthorized individuals intercepting the communication can access its contents.

Defensive Techniques

There are two primary methods for encrypting information leaving an export solution:

• Data-in-Transit Encryption – Technologies like Transport Layer Security (TLS) encrypt the communication channel over which the data is transmitted.
• Object Encryption – Encrypting each data item individually for the designated recipient.

In many scenarios, data-in-transit protection suffices. However, in higher-risk situations, object encryption provides additional security by safeguarding the data before it traverses flow control. This ensures that even if external components of the export solution are compromised, attackers cannot access the released data.

While the specific design of an end-to-end export solution may vary, certain core considerations regarding the arrangement of components and techniques are essential for effective implementation.

Stages of the Export Process

The data export process is delineated into three interconnected stages.

The flow of data includes the following steps:

1. A Document or Data Object export is initiated from the Source System.
2. Sanitization is conducted to eliminate hidden information. This process may require user input to adjust the sanitization level.
3. Release Authorization occurs to verify that the document is suitable for export. This should consider several factors as described previously and may incorporate one or more reviews from human stakeholders.
4. If Release Authorization is successful, the document is then Encrypted.
5. Signing the document for Release Control may follow if necessary.
6. The Document is relayed to the Release Control, which checks the signature to ensure authorization before proceeding to Flow Control.
7. Flow Control should always precede Release Control to guarantee that only data qualifying for Release Authorization is transmitted to the External Proxy.
8. The External Proxy is assigned to convey the document to the Destination System.

Several valid architectural variants should be assessed by system designers:

• Coupling Release Authorization and Release Control – This may involve direct sequential connections instead of relying on object signing or channel authentication.
• Aspects of Release Authorization, Encryption, and Signing may occur within the Source System, such as workflows in document management systems, while ensuring that Release Control can ascertain successful Release Authorization.
• If the export solution is paired with an import solution for two-way communication, precautions must be taken to prevent a bi-directional attack. An intruder could breach internal systems via the import channel and then use the export channel to extract or feedback data.

It’s crucial to monitor your export solution to verify its functionality. A robust management system will support this objective.

Management Strategies

To manage the solution effectively, consider the following:

• Ensure the system is easily and quickly patchable.
• Separately manage the administrative functions, safeguarding them against internal system compromises.
• Ensure that management of components situated after the Flow Control (like the External Proxy) is distinctive from the management of other elements since these external components are more susceptible to breaches.

Monitoring Strategies

Monitoring is key to maintaining effective export control:

• The monitoring system must be independent from management functionalities.
• Collect logs from all solution components and direct them to the monitoring system.
• Recording all outbound data may be warranted, though this could necessitate additional safeguards.
• Analyze logs for indications of users misusing the system or sending out unauthorized data. Utilize analytics to identify anomalies in export behaviors.
• Ensure log analysis can highlight incongruent events across components that typically do not occur, such as releasing documents that lack Release Authorization.
• Establish network monitoring to detect potential threats before they penetrate your network boundaries.

A well-structured export solution enables organizations to share information securely without jeopardizing IT systems further.

Human Intervention

<ptraditionally, the="" export="" of="" data="" requires="" human="" engagement.="" throughout="" design="" phase,="" you="" should="" evaluate="" how="" effectively="" system="" aligns="" with="" your="" organizational="" culture="" and="" practices="" to="" ensure="" it="" mitigates="" unintended="" exports="" without="" provoking="" negative="" behaviors="" aimed="" at="" circumventing="" it.

Balanced Approach to Export Controls

Export controls within IT systems ought to be proportionate to the broader environmental risks, such as user capabilities to print, use smartphones, or copy data into other documents. Overly restrictive export measures may foster ‘shadow IT,’ consequently undermining governance and oversight.

Ultimately, export systems should facilitate collaboration and sharing, rather than complicating the process.