Information Security / What the InfoSec C-Suite needs to know about Document Management Systems
What the InfoSec C-Suite needs to know about Document Management Systems
7 May 2019
Aaron Rangel, Director of Product Management, iManage, outlines the types of attacks that DMS systems are susceptible to, as well as the data privacy regulations that apply to information in a DMS and the key elements that must be included in security audits.
In today's heightened security environment, pressure on Chief Information Security Officers (CISOs) to secure sensitive information across a myriad of applications, both on-premises and across the cloud, has never been higher.
Modern day security attacks involving stolen credentials exploited via phishing schemes have changed the game dramatically. Leading CISOs understand that the same rigour and energy applied to securing the network must transcend the network boundary to encompass hundreds of applications running on-premises as well as across private and public clouds.
To this end, the traditional software security stack has evolved to address the challenge by investing in user and entity behaviour analytics (UEBA). These offerings generally work by harnessing the power AI and big data to develop a deep understanding of how individual users and entities such as devices behave and trigger alerts when anomalous behavioural patterns are detected.
While such solutions have seen reasonable adoption and success, their limitations stem from the fact that they are application agnostic. UEBA alerting is based on generic signals like network activity, file movement and source of network traffic, and suffers from the following three important limitations:
- Inability to detect known threat signatures from mission critical applications, as threat signals unique to the application are largely ignored
- They generate a high number of false positives as alerting is limited to generic network-based activity metrics
- Inability to detect advanced application intrinsic threats conducted across low activity levels
As information security teams develop their vision and strategy to protect privileged information assets, it's important for CISOs to understand:
Also of interest: Why cyber security is no longer restricted to the IT department
The need to secure information in firms’ document management system (DMS) application(s)
This is fast bubbling to the top of CISOs’ priority list. It’s a well-known fact that the DMS holds the “crown jewels" of professional services firms’ (e.g. legal, financial) information assets. Examples include the advice a firm delivers as a part of a consultative engagement, a legally binding contract for an asset sale or purchase, M&A due diligence, derivative agreements, etc.
The DMS contains highly privileged information that is not only prized by internal and external threat actors but must also be secured appropriately to comply with several data privacy regulations. As many firms don’t enforce retention policies consistently, it’s not uncommon for DMSs to contain information spanning 10-20 years.
Another problem is that a vast majority of documents in DMSs are not secured with an access control list and, as a result, even sensitive and confidential information is available to all DMS users.
The risk posed by not locking down privileged content stored in DMSs appropriately has not gone unnoticed by firms’ clients, who now use contracts and outside counsel guidelines to enforce closed need-to-know based security and activity monitoring.
Moreover, regulatory bodies like the Securities and Exchange Commission (SEC) and the Serious Fraud Office (SRO) have routinely charged employees, at both law firms and financial services organisations, with insider trading because privileged M&A information was not sufficiently locked down.
Also of interest: Can containers improve your cyber security?
The signature threat patterns intrinsic to DMSs
There are numerous ways in which information residing in DMSs can be accessed and exploited, including:
Unintentional high-risk behaviour: This kind of risk is not posed by intentional, malicious behaviour, but by poor work habits. Typical examples include: a secretary sending firm documents to an individual who has recently left the organisation. Or a lawyer exporting a high volume of documents to a personal computer before going on vacation.
Abuse of privileged accounts: Administration accounts have broad privileges over content management operations, which makes them top candidates for misappropriation and phishing attacks.
Non-filers: Non-filers are those users who circumvent the DMS. They represent a risk to the firm as these users store content on local drives or other non-sanctioned repositories, which are not under organisational control.
Stolen credentials (phishing attacks): It’s a well-known fact that professionals in M&A, as well as heads of practice areas with public profiles, are prime targets for phishing attacks. Whether the perpetrator is an insider or an external party that has obtained stolen credentials, the signature threat pattern of such an attack is access of content outside the engagements and practice areas the victim typically works across.
Departing employees: Across professional services firms, the risk posed by departing employees is well understood. In law firms, in particular, there is a strong incentive for departing lawyers to take client business away from the firm when they leave. Similarly, it’s not uncommon for the head of a practice to leave and take his team along to a competing firm, or for a group of two to three partners to depart to set up their own firm.
For a managing partner to know beforehand when a partner is likely to leave can be game-changing. Advance knowledge of a likely departure may even give key stakeholders the ability to preempt the departure.
Sophisticated malicious insider: A malicious actor slowly but systematically accesses content across projects that he or she is not involved with, with the intention to find privileged information that can be monetised.
Disgruntled user: Not common, but here an employee simply downloads privileged client content and posts it in a public forum to embarrass the firm.
Also of interest: Security training: should we give humans a break?
How to detect and mitigate threat patterns in a DMS
Having an integrated platform of applications that encompasses document management and collaboration, artificial intelligence and knowledge management – all built on a comprehensive security and information governance foundation – makes it easier to detect and mitigate threats.
The security and information governance foundation must incorporate principles from Zero Trust architecture, including always validate credentials, never trust, micro-segmentation, granular perimeter enforcement, and so on.
This approach represents a shift away from the traditional security model where ‘trust’ is inbuilt in the enterprise architecture – i.e. trust in network, trust between applications, trust in users and administrators and so on.
Securing information on a "need-to-know basis" needs to be a straightforward undertaking. Policy management must make it easy to silo information by department or practice area. This will restrict access to information to only those individuals who are authorised to view respective data in the DMS.
AI and analytics should form part of the technology mix in detecting DMS threat signals. This will ensure that intervention happens in real time to stop data loss that could adversely impact the firm or the firm's clients. All this must happen in close integration with the firm’s enterprise security stack by pushing DMS-centric alerts to a Security Information and Event Management (SIEM) tool.
Implementing this kind of all-encompassing and a simultaneously layered approach to security by creating multiple defenses will make securing the “crown jewels" of the firm’s information assets comprehensive, ubiquitous, and invisible.
Moreover, as firms progress with their digital transformation journeys, which is fast becoming a major programme in many organisations, securing the DMS must be a key aspect of the broader enterprise security initiative.
About the author
Aaron Rangel is a Director of Product Management within the iManage Security, Risk and Governance product suite. Aaron has extensive experience in launching innovative products to the marketplace. Prior to iManage, Aaron held senior product management positions at SPSS, IBM and has extensive experience with both the document management and analytics space.