Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Does Tor usage pose a security risk for enterprises?

Expert Kevin Beaver discusses whether Tor usage should be allowed in the enterprise and if it still offers the anonymity it promises.

We have a number of employees who use Tor for legitimate business purposes, but it seems like it's increasingly...

under attack by black hats and the U.S. government. Does it still provide realistic anonymity, or is lack of Tor security making it easier for attackers and the NSA to access data?

Tor is one of those gray areas of IT and security where usage is questionable and security may or may not exist. Case in point: Kaspersky recently discovered hundreds of botnets and darknet markets within Tor, not to mention the involvement by the NSA and countless other government agencies. Given this fact alone, if I were a security manager, IT director or savvy executive who understands security, I'd have a big problem with my employees using such an environment. 

Legitimate business purpose or not, from the network to the endpoints, it might be risky for your business to work in and around Tor. I suggest that you get together with some sharp minds in your business (i.e., your security committee) and ask the following questions:

  • Who is using Tor?
  • What's the legitimate business reasoning behind this usage?
  • What policies and contracts are being violated and what business risks are being generated by doing so?
  • How are your systems and sensitive information vulnerable due to this usage?
  • What are your alternatives?

This can be a tough situation to handle. We honestly just don't know much about the deep Web. In the end, if there's a strong enough business case (i.e., for journalists who use Tor to protect their confidential sources, as recommended by the Electronic Frontier Foundation and ACLU), you might have trouble eliminating Tor usage in your organization. Perhaps you can find a happy medium and only allow Tor usage from certain systems (i.e. virtual machines) on certain network segments (i.e. non-production virtual LANs or guest networks) that are protected with effective antimalware software and closely monitored. For now, the most important thing you can do is inform management of the situation and let them make the final decision.

Ask the Expert!
SearchSecurity expert Kevin Beaver is ready to answer your enterprise security questions -- submit them now! (All questions are anonymous.)

This was last published in October 2014

Dig Deeper on Web application and API security best practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

From where I sit, Tor is perfect for anything you need to do anonymously. Though a lot of my information comes from new TV shows like Scorpion and NCIS New Orleans, how could I be wrong?

In fact, one of the cases Kevin makes is for some journalists to use Tor to protect sources. So, what could go wrong?

I guess the main thing - though covered well in this piece - is that we really don't have a clear picture of who, what and why entities are on the dark web and how their presence there might affect our data, presence and activity there.

Sounds circuitous, but until there's a definitive reason to leverage Tor, you might be safer unhooking all your devices from the Web and transporting data on yellow legal pads from place to place. Then burning the files in your backyard firepit once the knowledge transfer has taken place.

If that's too restrictive, then go with a buyer beware attitude and be skeptical of all your connections and online interactions and have a plan in place for disaster mitigation if your data becomes compromised.

Dark web or not, nothing is completely safe these days. Use that mantra to guide your activity.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close