S 2.454 Planning the secure use of groupware systems

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Administrator

Before a groupware system is introduced, it is necessary to decide for which application scenarios the system should be used and what type of information it is intended for. Which hardware and software components need to be purchased also depends on the type of use determining the type and scope of the planning required. In particular, the security policies to be defined also depend heavily on the intended application scenario.

In general, a rough differentiation is made between the following groupware system application scenarios:

• Use as Intranet server and access using groupware clients: In this scenario, the main focus is placed on using groupware systems as an internal system for office communications (e-mail, scheduling appointments, coordination of group work).
• Use as Intranet server and access using web clients: In this scenario, a groupware server is accessed via a browser. Because completely different security mechanisms are used at the web interface of a groupware server, the secure configuration of the web interface is considered to be a separate scenario.
• Use in the demilitarised zone (DMZ) or perimeter network: A groupware server can also be used as publicly accessible information server in a DMZ. Due to the exposed position of the server, this type of use requires particular attention when configuring the system.
• Use of groupware applications provided by external service providers (e.g. cloud computing): Here, groupware applications provided by external service providers in the Internet are accessed. From a security perspective, special attention in this respect must be paid to the confidentiality of the data stored by third parties and to the availability of the service.

Within these individual scenarios, further distinctions can be made as to which functions are to be used by the groupware applied. As a rule, separate planning is required for the use of each individual function, also taking into account security aspects.

Depending on the purpose for which groupware systems are to be used, the requirements regarding the confidentiality, availability, integrity and binding nature of the data to be transmitted differ.

As a matter of principle, the following aspects must be taken into consideration when planning the use of groupware:

• It must be clarified which types of information are to be communicated via which channels using the groupware system and what protection requirements this information and the associated business processes have.
• It must be defined which groupware components and servers are to be used, and which user (roles) with which authorisations are allowed to use them.
• During the design phase of the use of groupware, it must also be specified which cryptographic security mechanisms are to be used, especially for e-mails (see also S 5.108 Cryptographic protection of groupware and/or e-mail).
• In order to allow communications into foreign networks, the use of exposed servers must be planned. They should be positioned in a demilitarised zone or at least behind a security gateway (see module S 3.1 security gateway (firewall)).

During the planning phase, it should also be defined how proper file transfer can be ensured through organisational regulations or technical implementation. This includes the following aspects, for example:

• The groupware clients must be pre-configured by the administrators in such a way that a maximum level of security can be achieved without any further action by the users. Further details on the protection of e-mail clients can be found in S 5.57 Secure configuration of groupware/mail clients.
• It may only be possible to transmit data after the sender's successful identification and authentication of the sender at the transmission system.
• Before using groupware systems for the first time, the users must receive instructions on how to use the relevant applications. The users must be familiar with the organisation's internal user regulations regarding the exchange of data.

In general, messages sent to internal addresses should not be forwarded using external channels or to external addresses. If exceptions to this regulation are made, all employees must be informed. For example, it is possible to forward e-mails to external access points for field service employees or other employees who are often on business trips. Using groupware applications and the transmission of e-mails between different premises of an organisation, in particular, should take place using secure channels such as a VPN or the organisation's own dedicated lines.

In addition, the following aspects must be taken into consideration when designing the secure use of groupware:

• The handling of active contents must be planned consistently for groupware communications. Here, an organisation-wide uniform procedure must be defined after the respective advantages and disadvantages have been weighed up.
• A decision must be made as to whether out-of-office messages may be used, since internal, personal information may be disclosed to the outside world when making use of this function.
• Using e-mail filter mechanisms as protection against spam mail (undesired advertising e-mails) must be planned.
• In order to use the calendar function and task list, it must be specified which persons with which authorisations may access these functions. This is of particular importance for the collaboration with other organisational units or external parties.
• Planning must also cover situations in which users use the same computers. As a result, profiles must be created and protected on these computers.
• If chat, instant messaging, audio or video conference services are to be used in the organisation, their respective use must be planned.

If external service providers are to be used for the application of groupware, for example mail providers, the security recommendations described in module S 1.11 Outsourcing must be implemented for this purpose. Above all, it must be clarified which security safeguards are taken by the service provider (see also S 2.123 Selection of a groupware or mail provider).

Again and again, it is discussed if and to what extent official groupware applications, e-mail in particular, may be used for private purposes. As long as private use is kept within limits, this is even supported by many organisations, since this has a positive effect on the motivation of the employees. In general, however, it is recommended to agree in the groupware policy upon which rules must be complied with when using groupware in general and also regarding private use of e-mail and other groupware services.

When using groupware systems in organisations, it should also be defined which groupware applications may be used by the users. In addition to different services offered by the groupware systems used in-house, it is also possible to access other groupware applications that can be used via the workstation computers, such as webmail or Internet terminal calendars. It must be clearly specified which internal or external groupware applications bay be used by the employees. How this might look is described below using the example of webmail. As a matter of principle, employees may only use programs and external services released and approved by their organisation.

Webmail refers to offers in which web-based e-mail services are accessed via a browser. Different mail providers offer corresponding extensions that are either integrated directly into their products or provided as additional modules. Webmail has the advantage that the mailboxes of the e-mail accounts can be accessed from any computer with an Internet connection all over the world without having to invest in a complex infrastructure for this purpose. However, it is more difficult to implement the security policies applicable throughout the organisation than it is for the transport using internal e-mail servers, for example with respect to virus protection or encryption. Moreover, the risk that confidential e-mails are read or passwords are listened in on is significantly higher in the event of external access to webmail logins.

When using webmail from a government agency and/or company network, it is absolutely mandatory to ensure protection against malicious software (malware). Following current virus warnings, it can take some time to install the new virus protection updates on all clients. In such a situation, it can make sense to at least block access to webmail until the persons responsible are sure that adequate protection has been provided.

Handling webmail in the government agency and/or company should be regulated. In this respect, there are several variants:

• Organisations can decide to generally ban the use of webmail. Of course, the employees must then be notified of this. In addition, this ban can be supported by technical means, i.e. using filters regarding known providers. In this respect, however, one should be aware of the fact that users can always find new ways to access such services.
• It is possible to recommend the use of webmail for private e-mails which are to be sent from the internal LAN. Thus, employees can be prevented from using official e-mail logins for private purposes in spite of corresponding bans - for example, because it is urgent or simply practical.
• There are also organisations in which webmail is officially released and approved for official e-mails. The reasons for this vary. For example, there are a number of smaller organisations which do not have their own e-mail server and use webmail for external communications. Webmail can also be practical for employees who need to access their e-mails when they are on business trips for which no access has been set up using remote access. Another reason for using webmail can be that the respective organisation does not want to appear externally for certain e-mails or that webmail addresses are indicated where spam is expected, i.e. in the event of certain downloads, news groups etc.

If webmail is used, the recommendations in S 5.96 The secure use of webmail should be taken into account.

Review questions:

• Are principles specified for the secure use of groupware systems?
• Was it defined which types of information may be transmitted using groupware services under what general prevailing conditions as regards their protection requirements?
• Are the regulations for the private use of groupware services?
• Is there a policy for handling webmail?