Security 15/55

Cross Domain Solutions

Nov 25, 2020

A cross domain solution is a system which is designed to allow two network domains (a single domain being servers with a common login) to securely exchange data. A CDS will include a content filter to prevent data from being moved which another domain does not have authorization to use.

Domains with different levels of access to secure information need a means to both manually and automatically transfer data. A CDS will offer:

1. Access solutions - the ability to view information from domains with differing security levels.

2. Transfer solutions - the ability to move information between domains with differing security levels.

3. Multi-level solutions - the storage of all data in a single domain.

The SANS Institute has prepared a diagram that shows how cross domain solutions work:

See the SANS Institute guide, Shedding Light on Cross Domain Solutions, posted here.

The HITECH Act

Nov 22, 2020

Health Information Technology for Economic and Clinical Health Act 42 U.S.C. §§300jj, et seq. (2009), the HITECH Act, was passed to encourage the use of health information technology.

Under the Act, healthcare organizations covered by HIPAA have to report data breaches which concern more than 500 people to the Department of Health and Human Services and the victims of the breach themselves, as well as give public notice of the breaches.

The Act also gives an individual the right to request a copy of their electronic health records (EHR).

Factors to Consider When Selecting a File Share Service

Nov 15, 2020

When considering which file sharing service to use, consider the following factors:

1. Can the users of the file sharing system recall records by referring to file hashes? If the hashes are generated using a private key and public key outside parties will not be able to access the files.

2. Does the service provide tunnelling protocols to allow data to be transferred securely between two points that use different protocols?

3. Does the service allow for customer managed encryption keys? Can the end user use their own encryption software and manage their own keys - the piece of information that allows a cryptographic algorithm to convert encrypted text into plaintext [unencrypted text], and vice versa.

4. Is device-to-device synchronization available? When data is updated on one device, will it be automatically updated on another device it is linked to?

5. What is the maximum size for any one file uploaded to the file sharing platform? For example, different kinds of Box accounts may limit individual files from anywhere between 250 MB and 32 GB. See this post.

6. If the file share software is open source, it will be easier for security experts to check for its vulnerabilities.

7. Does the service offer hybrid clouds - allow for both public and private cloud services. The former is cheaper and can be easily scaled to meet customer demand, but the latter uses a dedicated cloud infrastructure that keeps data behind a firewall.

8. Will files be encrypted only while they are transferred, but also when they are stored on a server? Is the data protected while it is at rest?

9. Does the service offer end-to-end encryption? This will allow only users exchanging files to view them, and prevent access by the provider.

10. Is two factor authentication offered?

11. Does the service permit data mining? Google Drive uses data mining to find personal information it can use for advertising purposes.

12. Does the system have a versioning file system which allows it to store several versions of the same file?

LITIGATION SUPPORT TIP OF THE NIGHT

New tips for paralegals and litigation support profesionals are posted to this site each week. Click on the blog headings for better detail.

See How-To Videos on my YouTube channel.

Cross Domain Solutions

A cross domain solution is a system which is designed to allow two network domains (a single domain being servers with a common login) to securely exchange data. A CDS will include a content filter to prevent data from being moved which another domain does not have authorization to use.

Domains with different levels of access to secure information need a means to both manually and automatically transfer data. A CDS will offer:

1. Access solutions - the ability to view information from domains with differing security levels.

2. Transfer solutions - the ability to move information between domains with differing security levels.

3. Multi-level solutions - the storage of all data in a single domain.

The SANS Institute has prepared a diagram that shows how cross domain solutions work:

See the SANS Institute guide, Shedding Light on Cross Domain Solutions, posted here.

The HITECH Act

Health Information Technology for Economic and Clinical Health Act 42 U.S.C. §§300jj, et seq. (2009), the HITECH Act, was passed to encourage the use of health information technology.

Under the Act, healthcare organizations covered by HIPAA have to report data breaches which concern more than 500 people to the Department of Health and Human Services and the victims of the breach themselves, as well as give public notice of the breaches.

The Act also gives an individual the right to request a copy of their electronic health records (EHR).

Factors to Consider When Selecting a File Share Service

When considering which file sharing service to use, consider the following factors:

1. Can the users of the file sharing system recall records by referring to file hashes? If the hashes are generated using a private key and public key outside parties will not be able to access the files.

2. Does the service provide tunnelling protocols to allow data to be transferred securely between two points that use different protocols?

3. Does the service allow for customer managed encryption keys? Can the end user use their own encryption software and manage their own keys - the piece of information that allows a cryptographic algorithm to convert encrypted text into plaintext [unencrypted text], and vice versa.

4. Is device-to-device synchronization available? When data is updated on one device, will it be automatically updated on another device it is linked to?

5. What is the maximum size for any one file uploaded to the file sharing platform? For example, different kinds of Box accounts may limit individual files from anywhere between 250 MB and 32 GB. See this post.

6. If the file share software is open source, it will be easier for security experts to check for its vulnerabilities.

7. Does the service offer hybrid clouds - allow for both public and private cloud services. The former is cheaper and can be easily scaled to meet customer demand, but the latter uses a dedicated cloud infrastructure that keeps data behind a firewall.

8. Will files be encrypted only while they are transferred, but also when they are stored on a server? Is the data protected while it is at rest?

9. Does the service offer end-to-end encryption? This will allow only users exchanging files to view them, and prevent access by the provider.

10. Is two factor authentication offered?

11. Does the service permit data mining? Google Drive uses data mining to find personal information it can use for advertising purposes.

12. Does the system have a versioning file system which allows it to store several versions of the same file?