IP security checkpoint: Can inside counsel trust IP management providers to protect their data?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insidecounsel.com/2015/10/09/ip-security-checkpoint-can-inside-counsel-trust-ip

As the sophistication of hackers has reached new heights, reports of
corporate security breaches are occurring with greater frequency than ever
before. Inside counsel in particular must ensure that all third-party
vendors hosting sensitive intellectual property (IP) data are continuing to
address new risks as the threat landscape continues to evolve. Providers of
Trademark Watching and Clearance, Domain Name Registration Services, and IP
Management Systems are all potential targets – just imagine the havoc that
could ensue if any of the sensitive information stored within these systems
were leaked? The good news is that ensuring that your vendors have deployed
appropriate security measures and necessary functionality is actually a
fairly straightforward task.

> From a security standpoint, every vendor hosting your intellectual property
data should minimally be offering the following to protect your data:

Two-Factor Authentication

Any online system that requires only a single login and password to gain
access is not secure. How can that be? Given the relative ease with which
hackers have amassed credential information over the last several years via
keyword loggers and malware, man-in-the-middle attacks, and vulnerabilities
such as Heartbleed, it’s easy to understand why simple login and password
combinations are no longer enough to protect valuable data. So, in addition
to login and password combinations, vendors should make available
two-factor authentication (2FA) which consists of a random generated
one-time passcode (OTP) usually made available via a mobile app or device
such as a key fob. If your vendor supports federated authentication via
Single Sign-On (SSO) leveraging both SAML and ADFS open standards, you can
achieve even higher levels of security, assuming that your corporate
standards require a second form of authentication.



SSAE 16 SOC2 Type 2 Reporting

Third-party SSAE 16 Reporting can ensure that internal controls are adhered
to both for the hosting environment, as well as for the application
software. In particular, pay close attention to controls for security that
certify that the system is protected against unauthorized access, use, or
modification. Also be aware of controls for availability which certify that
the system is available for operation and use as committed or agreed should
be a primary focus.



Encryption At Rest and In Transit

Given the sensitive nature of IP data, all stored information should be
encrypted using methods such as AES, RSA, and SHA-256. Encrypted data
should remain encrypted unless access via credential information is
granted. With this approach, even if a database breach were to occur,
compromised information would remain encrypted.

Network Vulnerability and Penetration Testing

All vendors hosting your IP data should be regularly conducting third-party
penetration testing to uncover vulnerabilities within their application and
their network. If you are unsure whether your vendor is currently
undertaking this effort, ask.



Single Tenancy

Single tenancy is when each customer’s application is supported by their
own database instance and supporting infrastructure. Data is never
comingled, and for this reason these applications are more secure than
those of vendors who only offer multi-tenancy options.



Granular User Rights Management

Not everyone with access to your Trademark Watching and Clearance Platform,
Domain Registrar Account, or IP Management System needs to see, or even
should see, every piece of information it contains. In fact, limiting who
has access and what they can update or modify should be standard practice.
Functionality to easily manage all users, whether they have full access,
read-only or no access to specific records and fields should exist.



Audit Logging

All online IP Management systems must provide full audit logging so that
there is never any question regarding who submitted an order, requested a
domain renewal, or marked a patent to lapse. All updates must be
time-stamped and any approvals required must be logged within the system as
well. This information should be easily accessible and un-editable.



Documented Internal Policies, Guidelines and Physical Controls

Don’t be afraid to ask your vendors to provide documentation of their
internal security protocols. For instance, how do they engage with requests
for password updates, do they conduct background checks for employees, and
what types of physical controls are in place? These are just a few of the
questions to consider asking your vendors.

While this is certainly not an exhaustive list, it does provide a solid
starting point for inside counsel who are evaluating whether their vendors
are serious about protecting their IP data. Of course, in time, new threats
will undoubtedly arise – but working with vendors committed to protecting
proprietary data will help to mitigate risks, now and in the future.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!