In many cases, a threat of any type doesn't coalesce in the minds of folks until concrete examples are given. It's one thing to say that global warming will raise the temperature a couple of degrees over a few years. It's another to see videos of melting glaciers and polar bears stranded on shrinking ice floes. The dangers of peer-to-peer (P2P) networking are not in the class of global warming -- except, perhaps, to CSOs. Nonetheless, graphic examples of P2P security breakdowns are frightening. The dangers of P2P are well illustrated in this InformationWeek story in which a writer tried his hand at invading the hard drives of people using the protocol.
After what appears to be fairly easy searching, the writer came up with "a feast of documents, along with some really bad music." On one machine, the reporter mentioned that he found songs by Foreigner -- reporting can be dangerous -- audit results, notes from interviews on internal investigations and several companies' financials. The story offers several examples of highly sensitive information that, with little effort, was his for the taking.
Security is not mentioned directly in this newsvine.com story on a new wrinkle on P2P -- called P4P -- but the development clearly has implications in this area. P2P, besides creating security headaches, is the most egregious bandwidth hog on the Internet. This story says that a study by Yale University, Pando Networks, Verizon and Telefonica suggested that P4P can cut bandwidth requirements by half.
When a person requests a P2P file, bits and pieces of it are sent from all over the Internet. P4P cuts traffic requirements by favoring servers closer to the requests. The study says P4P cut the number of server hops from 5.5 to 0.89, and 58 percent of traffic remained local, compared with 6 percent in traditional P2P scenarios.
The story says questions surrounding P4P center on the willingness of ISPs to offer the information needed to engineer such approaches. The use of deeper information is where the most obvious link to security is. The story doesn't go into the technology too deeply, but it seems likely that P4P use is similar to deep packet inspection (DPI) technologies, which assess packets at a comparatively deep level.
Dark Reading sums it up nicely: The three P2P problems are unauthorized trafficking of content that is copyright protected, the use of too much bandwidth, and the loss of sensitive data. The author maintains that each of these can be addressed. He mentions a vendor, Audible Magic, which makes software that monitors traffic for copyright protected material. Traffic shaping vendors such as Allot, Packeteer and PacketShaper can control the amount of bandwidth being lavished on P2P. On the security side, Tiversa looks for its client companies' sensitive content on P2P networks.
Identity Finder, a product described in this Techworld article, gives PC owners a better idea of what types of data actually exist in their machines. Keeping a handle on sensitive data is a more practical way of guarding against P2P thieves than trying to keep employees from using the application.
Believe it or not, there is a germ of good news in this. Clearly, P2P presents several problems. It seems, however, that those problems -- copyright infringement, bandwidth gluttony and security -- are linked. This means that the solutions can be as well.