Photographee.eu - Fotolia
We have a number of employees who use Tor for legitimate business purposes, but it seems like it's increasingly under attack by black hats and the U.S. government. Does it still provide realistic anonymity, or is lack of Tor security making it easier for attackers and the NSA to access data?
Tor is one of those gray areas of IT and security where usage is questionable and security may or may not exist. Case in point: Kaspersky recently discovered hundreds of botnets and darknet markets within Tor, not to mention the involvement by the NSA and countless other government agencies. Given this fact alone, if I were a security manager, IT director or savvy executive who understands security, I'd have a big problem with my employees using such an environment.
Legitimate business purpose or not, from the network to the endpoints, it might be risky for your business to work in and around Tor. I suggest that you get together with some sharp minds in your business (i.e., your security committee) and ask the following questions:
- Who is using Tor?
- What's the legitimate business reasoning behind this usage?
- What policies and contracts are being violated and what business risks are being generated by doing so?
- How are your systems and sensitive information vulnerable due to this usage?
- What are your alternatives?
This can be a tough situation to handle. We honestly just don't know much about the deep Web. In the end, if there's a strong enough business case (i.e., for journalists who use Tor to protect their confidential sources, as recommended by the Electronic Frontier Foundation and ACLU), you might have trouble eliminating Tor usage in your organization. Perhaps you can find a happy medium and only allow Tor usage from certain systems (i.e. virtual machines) on certain network segments (i.e. non-production virtual LANs or guest networks) that are protected with effective antimalware software and closely monitored. For now, the most important thing you can do is inform management of the situation and let them make the final decision.
Ask the Expert!
SearchSecurity expert Kevin Beaver is ready to answer your enterprise security questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Web application and API security best practices
Related Q&A from Kevin Beaver
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading