Design Pattern: Safely Exporting Data

This guidance divides into two main sections: the first covers the core techniques of the structural pattern, while the second focuses on designing an effective export solution using these techniques.

1. Techniques of the Secure Data Export Pattern

The secure data-export pattern comprises four fundamental techniques that together create an end-to-end export solution.

Information Release Management

Eliminating Hidden Data in Documents

Network Attack Defense

Data Encryption for Recipients

2. Export Solution Design and Management

Through the use of the secure data-export pattern, organizations must design, implement, and monitor their export solutions.

System Architecture

Monitoring and Management of an End-to-End Export System

Effectively controlling the release of information necessitates a combination of sound policies and technical measures. This approach should balance the need to safeguard sensitive data with the importance of providing timely and efficient information sharing.

Risks to Manage

Lacking proper controls for authorizing information release could result in users inadvertently or purposefully exporting sensitive information that should remain confidential within the organization.

This could potentially lead to reputational harm or financial loss, or even worse repercussions.

Defensive Techniques

A release authorization policy is crucial in determining which information assets are suitable for external sharing.

Your policy should consider aspects such as:

• Type of Information – Different information categories may hold varying levels of value and sensitivity for your organization.
• Origin – Consider the source of the information.
• Destination – Evaluate who the recipient is and whether their systems are trustworthy. An information-sharing agreement may be necessary to outline data protection responsibilities.
• Requesting User – Assuming the user or system is authenticated, their identity can influence the release decision.
• Multiple Authorizations – In some cases, additional approval from another individual may be required for information release.
• Classification – Classifications or markings may indicate that certain documents are too sensitive for external sharing.
• Thresholds and Volume Limits – Monitoring the total amount of data released can help prevent unintended breaches.

After defining your policy, consider how much you want to automate using technology versus relying on user behavior and oversight.

Technologically enforcing all aspects of your policy might not be feasible. Overly strict controls may hinder business operations by restricting acceptable information sharing.

Practical Tips

Modern file formats are complex and can include numerous fields and variables, often concealing significant information. This hidden content poses a risk of unintentional disclosure by users.

The Risks Involved

Documents exported from a network may retain hidden information, potentially including sensitive business data.

Defensive Techniques

To prevent such data breaches, it is crucial to eliminate hidden information before it crosses organizational or system boundaries.

Two effective techniques include:

• Sanitization – Review documents and remove hidden information.
• Format Transformation – Changing a document’s format can remove hidden details; for instance, converting to a print-friendly format can eliminate track changes and undo history.

Keep in mind that users may occasionally require certain document functionalities (like tracking changes or comments) and should have controls made optional when this is applicable.

Users should receive thorough training to make informed decisions regarding security. Allowing users to review the modified version of their document before sending helps ensure that it maintains its intended meaning.

Effective management of information release relies on robust policies and technical measures. Network threats might originate from external systems or from internal malware.

Identifying Risks

Establishing an export solution requires comprehensive network connectivity, making it a viable target for potential network attacks.

Defensive Techniques

The following techniques can help mitigate the risks posed by network attacks:

• Flow Control – Employing data diodes can ensure one-way communication through the export mechanism, preventing external attackers from exploiting your export channel to communicate with malware on your system.
• Release Control – Tying the authorization process to the export channel reduces the risk of unauthorized use of the solution, often implemented with authentication measures or digital signatures.
• Human Validation – Confirming that a human is initiating the export process rather than malware can be done using tools such as TOTP tokens.

Detecting Concealed Data

Identifying data concealed by malware within legitimate exports is particularly challenging due to the various methods attackers employ to disguise information.

When designing an export solution, always consider the residual risks that exist from malware on your system that may be hiding information within authorized exports, which is distinct from the accidental inclusion of hidden data mentioned previously.

Encryption is crucial for securing exported data until it reaches its designated recipient.

Identifying Risks

If data transferred from a system is not encrypted, unintended parties may have access to its contents if intercepted.

Defensive Techniques

Two encryption techniques can safeguard information leaving an export solution:

• Data-in-Transit Encryption – Utilizing protocols like Transport Layer Security (TLS) to encrypt the communication channel carrying the information.
• Object Encryption – Encrypting individual objects specifically for their intended recipients.

In many cases, using data-in-transit protections suffices. However, in higher-risk scenarios, object encryption serves to ensure that data is secured even if external components in the export solution are compromised, providing an additional layer of safety.

Every end-to-end export solution varies slightly in its architecture. However, there are essential design considerations regarding the arrangement of components and techniques to enhance effectiveness.

An illustrative end-to-end design is demonstrated in the body of the content.

Stages of the Export Process

Exporting data can be segmented into three interconnected stages.

Several valid variations of this architecture should be contemplated by system designers:

• Release Authorization and Control can be closely linked, potentially implemented in a sequential manner without object signing or channel authentication.
• Aspects of Release Authorization, Encryption, and Signing may occur within the Source System, such as within a document management workflow. Ensure Release Control can confirm that data has appropriately gone through Release Authorization.
• In contexts where the export solution collaborates with an import solution for dual communication, it is essential to prevent potential bi-directional attacks, where an attacker exploits the import channel to breach internal systems and then uses the export channel to exfiltrate data. Separating these systems when possible mitigates this risk but may not always be feasible.

Continuous monitoring of your export solution is critical to ensure it operates correctly. An effective management strategy will support this objective.

Management

Effective management encompasses:

• Ensuring the system is readily patched and updated.
• Keeping management functions separate from internal systems to prevent compromised devices from affecting the integrity of the export solution.
• Ensuring the management of components beyond Flow Control (like External Proxy) is distinct, as these components face higher compromise risks.

Monitoring

Ongoing monitoring is vital for effective export control:

• The monitoring system must be distinct from the management system.
• All components’ logs should be collected and analyzed within the monitoring system.
• Recording outgoing content may require additional security measures for protection.
• Analyze logs to identify potential abuse of the system or data that should not have been released. Consider using analytics to identify exports that deviate from normal patterns.
• Log analysis should facilitate the detection of improbable events across components, like documents being released without proper authorization.
• Implement network monitoring to address potential network attacks before they breach your systems.

A well-crafted export solution empowers organizations to share information while minimizing risks to IT systems.

The Role of Human Intervention

A successful data export often requires human involvement. Therefore, the design process must consider the alignment of the export system with the organization’s culture and operational practices. Ensuring the system deters unintended exports without driving users to circumvent it is essential.

A Balanced Approach

Export controls within an IT framework should be contemplated alongside broader environmental risks, including users’ abilities to print documents, capture photographs using smartphones, or copy content into other formats. Excessive controls could lead to the emergence of ‘shadow IT,’ losing governance and control.

Export systems should enable easier sharing and collaboration rather than complicate it.