- Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Does Tor usage pose a security risk for enterprises?

Expert Kevin Beaver discusses whether Tor usage should be allowed in the enterprise and if it still offers the anonymity it promises.

We have a number of employees who use Tor for legitimate business purposes, but it seems like it's increasingly under attack by black hats and the U.S. government. Does it still provide realistic anonymity, or is lack of Tor security making it easier for attackers and the NSA to access data?

Tor is one of those gray areas of IT and security where usage is questionable and security may or may not exist. Case in point: Kaspersky recently discovered hundreds of botnets and darknet markets within Tor, not to mention the involvement by the NSA and countless other government agencies. Given this fact alone, if I were a security manager, IT director or savvy executive who understands security, I'd have a big problem with my employees using such an environment. 

Legitimate business purpose or not, from the network to the endpoints, it might be risky for your business to work in and around Tor. I suggest that you get together with some sharp minds in your business (i.e., your security committee) and ask the following questions:

  • Who is using Tor?
  • What's the legitimate business reasoning behind this usage?
  • What policies and contracts are being violated and what business risks are being generated by doing so?
  • How are your systems and sensitive information vulnerable due to this usage?
  • What are your alternatives?

This can be a tough situation to handle. We honestly just don't know much about the deep Web. In the end, if there's a strong enough business case (i.e., for journalists who use Tor to protect their confidential sources, as recommended by the Electronic Frontier Foundation and ACLU), you might have trouble eliminating Tor usage in your organization. Perhaps you can find a happy medium and only allow Tor usage from certain systems (i.e. virtual machines) on certain network segments (i.e. non-production virtual LANs or guest networks) that are protected with effective antimalware software and closely monitored. For now, the most important thing you can do is inform management of the situation and let them make the final decision.

Ask the Expert!
SearchSecurity expert Kevin Beaver is ready to answer your enterprise security questions -- submit them now! (All questions are anonymous.)

This was last published in October 2014

Dig Deeper on Web application and API security best practices

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

From where I sit, Tor is perfect for anything you need to do anonymously. Though a lot of my information comes from new TV shows like Scorpion and NCIS New Orleans, how could I be wrong?

In fact, one of the cases Kevin makes is for some journalists to use Tor to protect sources. So, what could go wrong?

I guess the main thing - though covered well in this piece - is that we really don't have a clear picture of who, what and why entities are on the dark web and how their presence there might affect our data, presence and activity there.

Sounds circuitous, but until there's a definitive reason to leverage Tor, you might be safer unhooking all your devices from the Web and transporting data on yellow legal pads from place to place. Then burning the files in your backyard firepit once the knowledge transfer has taken place.

If that's too restrictive, then go with a buyer beware attitude and be skeptical of all your connections and online interactions and have a plan in place for disaster mitigation if your data becomes compromised.

Dark web or not, nothing is completely safe these days. Use that mantra to guide your activity.