Agencies and businesses increasingly rely on digital forms of communication for computer-based, real-time collaboration. In the virtual environment, these software applications enable participants to communicate via voice, video, chat and whiteboard, while sharing user desktops, applications and documents.
However, some features of these applications are of concern with respect to network and data security. Some general risks that are associated with this type of technology include:
- Malware – Viruses, spyware, Trojans and worms transferred through instant message sessions and peer-to-peer data exchanges.
- Loss of Data Confidentiality – Data transferred via a collaborative software tool is subject to unauthorized disclosure at several points during the communication session. The traffic generally passes through third-party networks and servers out of the control of the data owner.
- Network Attacks – These collaborative software tools open additional network ports creating a larger attack surface and more entry points for untrusted users to launch denial of service, spamming and man-in-the-middle attacks. Also these tools use excessive amounts of network bandwidth creating the potential for unintended denial of service.
The IRS Internal Revenue Manual (IRM) 10.8.1, Security, Privacy and Assurance Policy, stipulates the following policy regarding the use of collaborative software tools:
- Collaborative software tools “shall not be used to transmit sensitive but unclassified (SBU) data.”
- “The communication of audio and video content, directory services, application sharing and remote desktop sharing shall be prohibited.”
Therefore, these collaborative software tools do not provide the required level of assurance to protect sensitive, but unclassified FTI, and State agencies are prohibited from using them to display or transmit FTI regardless of whether it is a third-party hosted collaboration service, or an agency hosted service.
In lieu of using a collaborative software tool such as GoToMeeting or GoToAssist to transmit FTI, agencies should use agency-controlled Virtual Private Networks (VPNs) that provide FIPS 140-2 or later compliant cryptography to prevent a loss of data confidentiality and/or integrity.