Request for Technical Assistance
Do the security standards in collaborative software tools such as Citrix products GoToMeeting and GoToAssist offer sufficient protection in transmitting Federal Tax Information (FTI) across encrypted tunnels?
Agencies and businesses increasingly rely on digital forms of communication for computer-based real-time collaboration. These software applications provide virtual space, which enables participants to communicate via voice, video, chat, whiteboard, and can share user desktops, applications and documents.
However, some of the features of these applications are of concern with respect to network and data security. Some general risks that are associated with this type of technology include:
Malware – Viruses, spyware, Trojans and worms transferred through instant message sessions and peer-to-peer data exchanges.
Loss of Data Confidentiality – Data transferred via a collaborative software tool is subject to unauthorized disclosure at several points during the communication session. The traffic generally passes through third-party networks and servers out of the control of the data owner.
Network Attacks – These collaborative software tools open additional network ports creating a larger attack surface and more entry points for untrusted users to launch denial of service, spamming and man-in-the-middle attacks. Also these tools use excessive amounts of network bandwidth creating the potential for unintended denial of service.
The IRS Internal Revenue Manual (IRM) 10.8.1, Security, Privacy and Assurance Policy implements the following policy with regard to the use of collaborative software tools:
Collaborative software tools “shall not be used to transmit sensitive but unclassified (SBU) data.”
“The communication of audio and video content, directory services, application sharing, and remote desktop sharing shall be prohibited.”
Therefore, these collaborative software tools do not provide the required level of assurance to protect sensitive but unclassified FTI, and State agencies are prohibited from using them to display or transmit FTI regardless of whether it is a third-party hosted collaboration service, or an agency hosted service.
In lieu of using a collaborative software tool such as GoToMeeting or GoToAssist to transmit FTI, agencies should use agency-controlled Virtual Private Networks (VPNs) that provide FIPS 140-2 or later compliant cryptography to prevent a loss of data confidentiality and/or integrity.